performance measurement and reporting … measurement and reporting system project jd. pmrs legal...
Post on 09-Mar-2019
224 Views
Preview:
TRANSCRIPT
NATIONAL ARCHIVES Performance Measurement and Reporting System (PMRS)
Privacy Impact Assessment September 12 2013
Prepared for
National Archives and Records Administration Performance and Accountability Staff 860 I Adelphi Road College Park MD 207 40-600 I
CACI II00 North Glebe Rd Arlington VA 22201 (703) 841-7800
Last Updated September 18 2013 hprivacypiaspmrs privacy impact assessment 2013-09-12docx
Privacy Impact Assessment September 12 2013
Table of Contents
1 Overview ofPMRS 1 11 ADATAWAREHOUSE 1
12 PARTS OF PMRS RELEVANT TO PRIVACY 2
13 BORDERLINE CASES NOT DISCUSSED FURTHER 3
2 Employee Data 4
21 EMPLOYEE lNFORMA TION BEING COLLECTED 4 22 WHY THE EMPLOYEE INFORMATION IS BEING COLLECTED 10 23 INTENDED USE OF THIS INFORMA llON I 0
24 SHARING OF COLLECTED INFORMATION 12
25 OPPORTUNITIES FOR INDIVIDUALS TO DECLINE PROVIDING INFORMATION 13
26 SECURITY OF COLLECTED INFORMATION 13
3 Written Requests amp FOIAs in the Unit Logs 15 31 WRITTEN REQUEST AND FOIA INFORMATlON BEING COLLECTED IN THE UNIT
LOGS 16
32 WHY THE WRITTEN REQUEST AND FOlA INFORMATION IS BEING COLLECTED 16
33 INTENDED USE OF HilS INFORMATION 16
34 SHARING OF COLLECTED INFORMATION 35 OPPORTUNITIES FOR INDIVIDUALS TO DECLINE PROVIDING INFORMATION 17
36 SECURITY OF COLLECTED INFORMATION 17
4 Written Requests amp FOIAs in the PMRS Web Application 18 41 WRITTEN REQUEST AND FOIA INFORMATION BEING COLLECTED IN THE WEB
APPLICATION 19
42 WHY THE WRITTEN REQUEST AND FOIA INFORMATION IS BEING COLLECTED 20
43 INTENDED USE OF THIS INFORMATION 20
44 SHARING OF COLLECTED INFORMATION 20
45 OPPORTUNITIES FOR INDIVIDUALS TO DECLINE PROVIDING INFORMATION 20
46 SECURITY OF COLLECTED INFORMATION 20
5 Is this a System of Record Covered by the Privacy Act 21
6 Conclusions and Analysis 21 61 DID ANY PERTINENT ISSUES ARISE DURING THE DRAFTING OF THIS
ASSESSMENT 21
62 IF SO WHAT CHANGES WERE MADE TO THE SYSTEMAPPLICATION TO
COMPENSATE 21
7 Approvals 21
reg
Privacy Impact Assessment September 122013
Update History
Aug 22 2008 I 10 Initial S Beste1---=-------f---i-------------------f- ---middot---1
May 19 2010 I 11 No substantive changes Minor grammatical and IT S Beste I technical changes were made For instance all the 1
1 Access databases referred to have been migrated to 1I
Access 2007 so their file names end in accdb vice mdb All citations herein were correspondingly
1 updated
Apr 292011 12 No substantive changes Organization codes have been 1 S Beste changed to reflect the NARA reorganization in the spring i of 2011 The document was converted to Word 2007 1
Aug 272012 1 ~- i ~ D~~~~~ntai~i~g RNO and disability inforati~-is-~-1 S Beste
anonymous throughout PMRS
I bull Age replaces birth date throughout
1middot Age has replaced Date of Birth throughout PMRS I dropped version numbers in favor of just using the
dates FPPS replaces CHRIS I cleaned up the page
__middot----L------- 1-~umbE)~s____ ____L________ Sep 12 2013 I bull Employee database in Access dropped replaced by IS Beste
the Employee Log in the web app __j
----------------------------------------ii
Privacy Impact Assessment September 12 2013
Privacy Impact Assessment
Name of the Project Performance Measurement and Reporting System
Project JD PMRS
Legal Authority Government Performance and Results Act 1993 GPRA
Purpose ofthis System GPRA provides that agencies will have strategic plans with numeric performance targets It further provides that agencies shall report their progress against those goals with anditable figures PMRS is the system that collects and reports those auditable performance results at NARA
1 Overview of PMRS
11 A Data Warehouse
PMRS is a data warehouse application As such it has no data of its own Ratherit gathers data from 71 NARA sources for the purpose of combining and publishing them through a common user interface This is the big picture
Perfonnance Measurement and Reporting System
Overview
f -------------------middot---middot-middot-middotmiddot
Sources Everyone
Collect Data Store Publish on NARANET
PMRS pulls hundreds of data elements from these dataqases each month covering every aspect ofNARA operations Most of this has nothing to do with individuals or their privacy
~---------------------------- 1
Privacy Impact Assessment September 12 2013
12 Parts of PMRS Relevant to Privacy
The diagram below shows where personally-sensitive information resides in PMRS The dark background defines the boundary ofPMRS The colors pink and green show the two categories of data at Issue
bull Pink FOIA requests and written requests- data on requests for information from the public by FOIA or otherwise
bull Green Employee data
The rest of this assessment treats these two categories separately But understand how all the data flows into and out ofPMRS
Performance Measurement and Reporting System
Flow of Personal Information through PMRS
~ =Written request amp FOIA data
~ =Employee data
Staging Area
Everyone on NARANET
Human Capital
only
1 People enter data into source databases at left Normally source databases are the responsibility of their owners (CMRS SOFA FPPS ) The privacy impacts of those systems are not covered here We have one exception the PMRS web application is inside the PMRS boundary It is a source database that is also part of PMRS
2 Some databases are sent whole to PMRS each month For example NGC sends its entire FOIA-tracking database to the PMRS staging area every month
3 Other systems send only extracts With the exception of the extract from FPPS these extract databases do not contain data on individuals
4 The Performance and Accountability Staff (CP) stages everything All incoming data takes the form of a file in the PMRS staging folder
5 CP keeps a copy of every submission For data quality and audit purposes CP keeps a copy of every database it receives It does this by saving a copy of the staging area each month
6 CP loads the warehouse Except for employee data the warehouse contains no personally-identifiable information
---------------------------------------------------------2
Privacy Impact Assessment September 12 2013
7 CP publishes to everyone on NARANET This is the publication side ofPMRS It contains summary data only and no privacy data
8 CP publishes employee data to the Office ofHuman Capital (H) A small amount of personally-identifiable employee data goes to selected people in H for nse in workforce planning
13 Borderline Cases Not Discussed Further
In the interest of complete disclosure PMRS touches on two other categories ofpersonal information
131 Data Regarding Online Reproduction Orders
PMRS collects data on every reproduction order placed through SOFA However it collects only the fields below None of these identifies the requester or the subject of the request Therefore this data has no bearing on privacy and will not be discussed further
paynenlttYgte c~J = ~iied PM~~S~~stfoJIP~tiOil-d~ffufi~~Yi~l~~~-obullo s~rvic)ng part of th~ yvork ~low ~ ~-~-~--middot~--~
production part of the work fl_ow ready-for-ship111ent part of the wotJilt~~----
132 Employee Log-In Data
The PMRS web application is used by about 250 NARA employees Regarding these users the application stores
bull Their name bull Their organization code(s) bull Their NARANET login ID bull The date and time of their last login bull The user lD and a timestamp of the last change made to every row of data This information is
visible to any colleague who can see that row of data
This data is used to bull Restrict system access to registered users bull Restrict user access to just the logs and organizations they need bull Spot users who are inactive in the system (and who may therefore need to be dropped) bull Maintain accountability for the data by revealing who last changed it
This information is necessary for the reasonable functioning of the system No use is made of the data outside of the application It is not particularly sensitive Therefore this data will not be discussed further
---------------------------------------------------------3
Privacy Impact Assessment September 12 2013
2 Employee Data This diagram is an extract of the one on page 2 It shows just the data about employees
Performance Measurement and Reporting System
Employee Data in PMRS
cgt Employee data
Human Capital
only
21 Employee Information Being Collected
Employee data enters PMRS from two sources
bull FPPS the personnel system This is the major source Every month HTS ernails CP an extract from FPPS This is shown at left in the diagram above
bull PMRS Web App (Employee Log) This web log holds a list of employees and a checkmark from their manager as to whether they are eligible to telework or not
211 FPPS Extractaccdb
This is PMRS s receiving database for the extract coming from FPPS It is essentially an envelope for moving the data It has no queries for analyzing the data It has two tables for employees- one with identifYing information but no RN01 data and one with the reverse See the displays below
Employee Data with IDs - EMPLOYEE ID table
See the list of fields on the next page This is a table of all current employees plus those who departed within the last year The most sensitive fields are
bull NARA employee number
bull Employee name
1 RNO =Race and national origin
---------------------------------------------------------4
Privacy Impact Assessment September 12 2013
Desc-ription NAR0s unq_~e empo_yee__ dener~ _Swit~-~-froS~fl__ 1_hen CHRS__(an_give usseparati_onstJy_ emp_YmiddotI
__ _middot __middot_Last name and fi~~t n~me ofthe emP~Yee
OA -code~esignating schedule~ pay grades typica_y meanil_g_G~ ~-sect~_n_eral_ ~~-~d~_l_e _Level of th_e position _such _as_th_e ~13~ ~-~--_G~~-13
-~cc~pa~ifla__~i_~_cd _--~~~-Te~- A-code descnbmgthe kmd ofdutJesto bullNhchthe employee has heen ass1gne-d __supe_rrisorv__eve cd~~~middotmiddotmiddot~~-rext--~~~--- A_ code lldiCltJtingthe e_rnplox_e~~s_supervs_o_rY__rle ___ ~~~ _ ~~ ~~middotmiddotmiddot~~~~
Data Type
~
_laraog~d~----- ~~~~middot-~--~rext OrgCode from PRS faciltycd - ~~~Xt The dutynty code fr_9_m_CHRS_h_e personnel sy~em-~~~~~~~~-
p_~ii_o~-~itetxt ~~~~---- _________Te~~~~~ ltle__o_try_e_etlplot_~e~s_p~sitio~-- --middotmiddot- --~~---middot -~~~~~~~~~~ hire dt DateTime The -date the employ~s tenure at NARA officially began Dt EOD NARA
S~p~at_~n-~t rmiddot=l~tteplusmn_i~_e_ ~Ifl~_Jat_e-_th~e~e~p~eebulls~~~u~~ ~)~~~~A--~t-~icia~Hy~er~(jed__ ~tseilJ=aied~~-~ _)_(-_P1J__~ti_(t_l_r_east)_n__lt~ Text F~_r_n the__person ne_systert_t_a_ (())e 9~~-~-Ee~-~f n_ frfPl_oy__ee_l_e_ft__rl(R~
~~PP~~e~_td Text Acode indicating_the rule_underwhich_the _ _employ2~ ~-o-d~--~is pltJ~i_t_i_~n
_gen-d_~--~9 jText A code indicating the employees sex
pat-cob--cd Text A tde indicatingwhether the persons position_is_prof~ss_iiJ1_a __~l_~ca~ltlu~~11a_~~~
_~ppt_a_u_tl -_~_ Text 3 digit cccte that identifies an appointmentauthority
w-ork s-chedule-cd middotText Acode that distinguishes between fu~time__pa_~~ti_~~ in_t_Ermi_tt_fll_a_n_d s~asonaJ emplt_yenment --~~1i_~-n~__eiigi_bi_i_itY_~~ Joa_teTime The e-arliest data that this employee will be_eigibel_ ~eti_re- federal s-ervice st-artdt DateTime SCD (lea-e in CHRIS~ _lhis is the date ~o use__for__cak~l~_tiniYears-i~-~~~i-~ri~-~--~-- ~_i-~- yi_rltJ~(d_3_t_s_ ast r1otlon -~t middotDateTime The-d-ate of the employees last promotion_ Ifnone ~hen [hire dt]
retirement plan-~- Text The code that indicates which retirement plan applies to this employee
target grade nu~ Number The top grade level of the employees current career track
record status txt Text Status of the record as a result of the last update from the personnel system
ldpfg YesNo Yes= This employee has a Individual Development Plan approved-as being linked to strategic goals
jldp di Da~eTime Th~ date on whi-ch the employees Individual Development Plan W~s ap_pro~d as being linked to -~rat~ end of_ month idp dt DateTime As of end of last quarter The date o~ which the employees Individual Development Plan was approv
performance plan fg YesNo Yes=This employee has a current pertormance appraisal plan approved as belng inked to strategic goa
performance plan dt -------~-~ pcateTim_e The date on which the employees performance appraisal plan was approved as being inked to-strate_g ~end_of rl]Onth perf_or~~~~-~8t DBteTime~middot-- ~As of end of last ql_larter The date on_which th_e employe-es performance appraisal plan was approvec
new nara org cd middot----~-~--Text ~~~ Manually entered by the PMRS Administrator during times of reorganization when people have both o ica_ncel idp fg YesNo Temp data Yes Cancel the persons lOP in Employeemdb Incoming data shows a change in org pos
cancel performa~eyhm ~lg__ YesN==~ Te_mp-d3~a Yes carce-the person~s performance plan in Employeemd~ __ncoming ~ata shc~s a cha standard name ~-~-~-middot -~~middot Text ysed for_lnkingto data comingfrofl_l_ ET_~Ms to_da_ta ~rom CtJ_RS See the ETAMS import co-de
Employee Data with IDs - EMPLOYEE RNO table
This covers only current employees It is anonymized meaning that employee names and IDs are not in the table What remains is statistical information only particularly
bull Disability code
bull Selfdeclared race code
Employee RNO table
5
Privacy Impact Assessment September 122013
212 PMRS Web App (Employee Log)
This is where managers check off people as being eligible to telework or not It contains the minimum number of fields to support that function The list of employees gets updated by FPPS Extractaccdb every time it imports new data from FPPS
Beyond the corifluence ofemployee name and number this database has no sensitive data
Description
Ihernltgtnthand1earfltJr whic~middotligi~~tyajgtpl_ies
213 PMRS Warehouse
This is the heart of PMRS It stores data on all employees present and past with monthly snapshots of various properties such as their current grade and position title The database resides in SQL Server running on the PMRSprod Windows server Access is restricted to the PMRS Administrator
As with the feed files and FPPS Extractaccdb the warehouse segregates the employee data into two areas
bull Data with identifYing information but no RNO or disability information
bull The reverse Anonymized data with RNO and disability information
Tables with Identifiers
This is EMPLOYEE the parent table with one row for every employee past and present Sensitive fields are
bull NARA employee number
bull Employee name
Data Type
This is EMPLOYEE MONTH ID with one record for each employee each month It is child to EMPLOYEE with the link back being through [employee num] This contains no RNO data
---------------------------------------------------------------6
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
Table of Contents
1 Overview ofPMRS 1 11 ADATAWAREHOUSE 1
12 PARTS OF PMRS RELEVANT TO PRIVACY 2
13 BORDERLINE CASES NOT DISCUSSED FURTHER 3
2 Employee Data 4
21 EMPLOYEE lNFORMA TION BEING COLLECTED 4 22 WHY THE EMPLOYEE INFORMATION IS BEING COLLECTED 10 23 INTENDED USE OF THIS INFORMA llON I 0
24 SHARING OF COLLECTED INFORMATION 12
25 OPPORTUNITIES FOR INDIVIDUALS TO DECLINE PROVIDING INFORMATION 13
26 SECURITY OF COLLECTED INFORMATION 13
3 Written Requests amp FOIAs in the Unit Logs 15 31 WRITTEN REQUEST AND FOIA INFORMATlON BEING COLLECTED IN THE UNIT
LOGS 16
32 WHY THE WRITTEN REQUEST AND FOlA INFORMATION IS BEING COLLECTED 16
33 INTENDED USE OF HilS INFORMATION 16
34 SHARING OF COLLECTED INFORMATION 35 OPPORTUNITIES FOR INDIVIDUALS TO DECLINE PROVIDING INFORMATION 17
36 SECURITY OF COLLECTED INFORMATION 17
4 Written Requests amp FOIAs in the PMRS Web Application 18 41 WRITTEN REQUEST AND FOIA INFORMATION BEING COLLECTED IN THE WEB
APPLICATION 19
42 WHY THE WRITTEN REQUEST AND FOIA INFORMATION IS BEING COLLECTED 20
43 INTENDED USE OF THIS INFORMATION 20
44 SHARING OF COLLECTED INFORMATION 20
45 OPPORTUNITIES FOR INDIVIDUALS TO DECLINE PROVIDING INFORMATION 20
46 SECURITY OF COLLECTED INFORMATION 20
5 Is this a System of Record Covered by the Privacy Act 21
6 Conclusions and Analysis 21 61 DID ANY PERTINENT ISSUES ARISE DURING THE DRAFTING OF THIS
ASSESSMENT 21
62 IF SO WHAT CHANGES WERE MADE TO THE SYSTEMAPPLICATION TO
COMPENSATE 21
7 Approvals 21
reg
Privacy Impact Assessment September 122013
Update History
Aug 22 2008 I 10 Initial S Beste1---=-------f---i-------------------f- ---middot---1
May 19 2010 I 11 No substantive changes Minor grammatical and IT S Beste I technical changes were made For instance all the 1
1 Access databases referred to have been migrated to 1I
Access 2007 so their file names end in accdb vice mdb All citations herein were correspondingly
1 updated
Apr 292011 12 No substantive changes Organization codes have been 1 S Beste changed to reflect the NARA reorganization in the spring i of 2011 The document was converted to Word 2007 1
Aug 272012 1 ~- i ~ D~~~~~ntai~i~g RNO and disability inforati~-is-~-1 S Beste
anonymous throughout PMRS
I bull Age replaces birth date throughout
1middot Age has replaced Date of Birth throughout PMRS I dropped version numbers in favor of just using the
dates FPPS replaces CHRIS I cleaned up the page
__middot----L------- 1-~umbE)~s____ ____L________ Sep 12 2013 I bull Employee database in Access dropped replaced by IS Beste
the Employee Log in the web app __j
----------------------------------------ii
Privacy Impact Assessment September 12 2013
Privacy Impact Assessment
Name of the Project Performance Measurement and Reporting System
Project JD PMRS
Legal Authority Government Performance and Results Act 1993 GPRA
Purpose ofthis System GPRA provides that agencies will have strategic plans with numeric performance targets It further provides that agencies shall report their progress against those goals with anditable figures PMRS is the system that collects and reports those auditable performance results at NARA
1 Overview of PMRS
11 A Data Warehouse
PMRS is a data warehouse application As such it has no data of its own Ratherit gathers data from 71 NARA sources for the purpose of combining and publishing them through a common user interface This is the big picture
Perfonnance Measurement and Reporting System
Overview
f -------------------middot---middot-middot-middotmiddot
Sources Everyone
Collect Data Store Publish on NARANET
PMRS pulls hundreds of data elements from these dataqases each month covering every aspect ofNARA operations Most of this has nothing to do with individuals or their privacy
~---------------------------- 1
Privacy Impact Assessment September 12 2013
12 Parts of PMRS Relevant to Privacy
The diagram below shows where personally-sensitive information resides in PMRS The dark background defines the boundary ofPMRS The colors pink and green show the two categories of data at Issue
bull Pink FOIA requests and written requests- data on requests for information from the public by FOIA or otherwise
bull Green Employee data
The rest of this assessment treats these two categories separately But understand how all the data flows into and out ofPMRS
Performance Measurement and Reporting System
Flow of Personal Information through PMRS
~ =Written request amp FOIA data
~ =Employee data
Staging Area
Everyone on NARANET
Human Capital
only
1 People enter data into source databases at left Normally source databases are the responsibility of their owners (CMRS SOFA FPPS ) The privacy impacts of those systems are not covered here We have one exception the PMRS web application is inside the PMRS boundary It is a source database that is also part of PMRS
2 Some databases are sent whole to PMRS each month For example NGC sends its entire FOIA-tracking database to the PMRS staging area every month
3 Other systems send only extracts With the exception of the extract from FPPS these extract databases do not contain data on individuals
4 The Performance and Accountability Staff (CP) stages everything All incoming data takes the form of a file in the PMRS staging folder
5 CP keeps a copy of every submission For data quality and audit purposes CP keeps a copy of every database it receives It does this by saving a copy of the staging area each month
6 CP loads the warehouse Except for employee data the warehouse contains no personally-identifiable information
---------------------------------------------------------2
Privacy Impact Assessment September 12 2013
7 CP publishes to everyone on NARANET This is the publication side ofPMRS It contains summary data only and no privacy data
8 CP publishes employee data to the Office ofHuman Capital (H) A small amount of personally-identifiable employee data goes to selected people in H for nse in workforce planning
13 Borderline Cases Not Discussed Further
In the interest of complete disclosure PMRS touches on two other categories ofpersonal information
131 Data Regarding Online Reproduction Orders
PMRS collects data on every reproduction order placed through SOFA However it collects only the fields below None of these identifies the requester or the subject of the request Therefore this data has no bearing on privacy and will not be discussed further
paynenlttYgte c~J = ~iied PM~~S~~stfoJIP~tiOil-d~ffufi~~Yi~l~~~-obullo s~rvic)ng part of th~ yvork ~low ~ ~-~-~--middot~--~
production part of the work fl_ow ready-for-ship111ent part of the wotJilt~~----
132 Employee Log-In Data
The PMRS web application is used by about 250 NARA employees Regarding these users the application stores
bull Their name bull Their organization code(s) bull Their NARANET login ID bull The date and time of their last login bull The user lD and a timestamp of the last change made to every row of data This information is
visible to any colleague who can see that row of data
This data is used to bull Restrict system access to registered users bull Restrict user access to just the logs and organizations they need bull Spot users who are inactive in the system (and who may therefore need to be dropped) bull Maintain accountability for the data by revealing who last changed it
This information is necessary for the reasonable functioning of the system No use is made of the data outside of the application It is not particularly sensitive Therefore this data will not be discussed further
---------------------------------------------------------3
Privacy Impact Assessment September 12 2013
2 Employee Data This diagram is an extract of the one on page 2 It shows just the data about employees
Performance Measurement and Reporting System
Employee Data in PMRS
cgt Employee data
Human Capital
only
21 Employee Information Being Collected
Employee data enters PMRS from two sources
bull FPPS the personnel system This is the major source Every month HTS ernails CP an extract from FPPS This is shown at left in the diagram above
bull PMRS Web App (Employee Log) This web log holds a list of employees and a checkmark from their manager as to whether they are eligible to telework or not
211 FPPS Extractaccdb
This is PMRS s receiving database for the extract coming from FPPS It is essentially an envelope for moving the data It has no queries for analyzing the data It has two tables for employees- one with identifYing information but no RN01 data and one with the reverse See the displays below
Employee Data with IDs - EMPLOYEE ID table
See the list of fields on the next page This is a table of all current employees plus those who departed within the last year The most sensitive fields are
bull NARA employee number
bull Employee name
1 RNO =Race and national origin
---------------------------------------------------------4
Privacy Impact Assessment September 12 2013
Desc-ription NAR0s unq_~e empo_yee__ dener~ _Swit~-~-froS~fl__ 1_hen CHRS__(an_give usseparati_onstJy_ emp_YmiddotI
__ _middot __middot_Last name and fi~~t n~me ofthe emP~Yee
OA -code~esignating schedule~ pay grades typica_y meanil_g_G~ ~-sect~_n_eral_ ~~-~d~_l_e _Level of th_e position _such _as_th_e ~13~ ~-~--_G~~-13
-~cc~pa~ifla__~i_~_cd _--~~~-Te~- A-code descnbmgthe kmd ofdutJesto bullNhchthe employee has heen ass1gne-d __supe_rrisorv__eve cd~~~middotmiddotmiddot~~-rext--~~~--- A_ code lldiCltJtingthe e_rnplox_e~~s_supervs_o_rY__rle ___ ~~~ _ ~~ ~~middotmiddotmiddot~~~~
Data Type
~
_laraog~d~----- ~~~~middot-~--~rext OrgCode from PRS faciltycd - ~~~Xt The dutynty code fr_9_m_CHRS_h_e personnel sy~em-~~~~~~~~-
p_~ii_o~-~itetxt ~~~~---- _________Te~~~~~ ltle__o_try_e_etlplot_~e~s_p~sitio~-- --middotmiddot- --~~---middot -~~~~~~~~~~ hire dt DateTime The -date the employ~s tenure at NARA officially began Dt EOD NARA
S~p~at_~n-~t rmiddot=l~tteplusmn_i~_e_ ~Ifl~_Jat_e-_th~e~e~p~eebulls~~~u~~ ~)~~~~A--~t-~icia~Hy~er~(jed__ ~tseilJ=aied~~-~ _)_(-_P1J__~ti_(t_l_r_east)_n__lt~ Text F~_r_n the__person ne_systert_t_a_ (())e 9~~-~-Ee~-~f n_ frfPl_oy__ee_l_e_ft__rl(R~
~~PP~~e~_td Text Acode indicating_the rule_underwhich_the _ _employ2~ ~-o-d~--~is pltJ~i_t_i_~n
_gen-d_~--~9 jText A code indicating the employees sex
pat-cob--cd Text A tde indicatingwhether the persons position_is_prof~ss_iiJ1_a __~l_~ca~ltlu~~11a_~~~
_~ppt_a_u_tl -_~_ Text 3 digit cccte that identifies an appointmentauthority
w-ork s-chedule-cd middotText Acode that distinguishes between fu~time__pa_~~ti_~~ in_t_Ermi_tt_fll_a_n_d s~asonaJ emplt_yenment --~~1i_~-n~__eiigi_bi_i_itY_~~ Joa_teTime The e-arliest data that this employee will be_eigibel_ ~eti_re- federal s-ervice st-artdt DateTime SCD (lea-e in CHRIS~ _lhis is the date ~o use__for__cak~l~_tiniYears-i~-~~~i-~ri~-~--~-- ~_i-~- yi_rltJ~(d_3_t_s_ ast r1otlon -~t middotDateTime The-d-ate of the employees last promotion_ Ifnone ~hen [hire dt]
retirement plan-~- Text The code that indicates which retirement plan applies to this employee
target grade nu~ Number The top grade level of the employees current career track
record status txt Text Status of the record as a result of the last update from the personnel system
ldpfg YesNo Yes= This employee has a Individual Development Plan approved-as being linked to strategic goals
jldp di Da~eTime Th~ date on whi-ch the employees Individual Development Plan W~s ap_pro~d as being linked to -~rat~ end of_ month idp dt DateTime As of end of last quarter The date o~ which the employees Individual Development Plan was approv
performance plan fg YesNo Yes=This employee has a current pertormance appraisal plan approved as belng inked to strategic goa
performance plan dt -------~-~ pcateTim_e The date on which the employees performance appraisal plan was approved as being inked to-strate_g ~end_of rl]Onth perf_or~~~~-~8t DBteTime~middot-- ~As of end of last ql_larter The date on_which th_e employe-es performance appraisal plan was approvec
new nara org cd middot----~-~--Text ~~~ Manually entered by the PMRS Administrator during times of reorganization when people have both o ica_ncel idp fg YesNo Temp data Yes Cancel the persons lOP in Employeemdb Incoming data shows a change in org pos
cancel performa~eyhm ~lg__ YesN==~ Te_mp-d3~a Yes carce-the person~s performance plan in Employeemd~ __ncoming ~ata shc~s a cha standard name ~-~-~-middot -~~middot Text ysed for_lnkingto data comingfrofl_l_ ET_~Ms to_da_ta ~rom CtJ_RS See the ETAMS import co-de
Employee Data with IDs - EMPLOYEE RNO table
This covers only current employees It is anonymized meaning that employee names and IDs are not in the table What remains is statistical information only particularly
bull Disability code
bull Selfdeclared race code
Employee RNO table
5
Privacy Impact Assessment September 122013
212 PMRS Web App (Employee Log)
This is where managers check off people as being eligible to telework or not It contains the minimum number of fields to support that function The list of employees gets updated by FPPS Extractaccdb every time it imports new data from FPPS
Beyond the corifluence ofemployee name and number this database has no sensitive data
Description
Ihernltgtnthand1earfltJr whic~middotligi~~tyajgtpl_ies
213 PMRS Warehouse
This is the heart of PMRS It stores data on all employees present and past with monthly snapshots of various properties such as their current grade and position title The database resides in SQL Server running on the PMRSprod Windows server Access is restricted to the PMRS Administrator
As with the feed files and FPPS Extractaccdb the warehouse segregates the employee data into two areas
bull Data with identifYing information but no RNO or disability information
bull The reverse Anonymized data with RNO and disability information
Tables with Identifiers
This is EMPLOYEE the parent table with one row for every employee past and present Sensitive fields are
bull NARA employee number
bull Employee name
Data Type
This is EMPLOYEE MONTH ID with one record for each employee each month It is child to EMPLOYEE with the link back being through [employee num] This contains no RNO data
---------------------------------------------------------------6
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 122013
Update History
Aug 22 2008 I 10 Initial S Beste1---=-------f---i-------------------f- ---middot---1
May 19 2010 I 11 No substantive changes Minor grammatical and IT S Beste I technical changes were made For instance all the 1
1 Access databases referred to have been migrated to 1I
Access 2007 so their file names end in accdb vice mdb All citations herein were correspondingly
1 updated
Apr 292011 12 No substantive changes Organization codes have been 1 S Beste changed to reflect the NARA reorganization in the spring i of 2011 The document was converted to Word 2007 1
Aug 272012 1 ~- i ~ D~~~~~ntai~i~g RNO and disability inforati~-is-~-1 S Beste
anonymous throughout PMRS
I bull Age replaces birth date throughout
1middot Age has replaced Date of Birth throughout PMRS I dropped version numbers in favor of just using the
dates FPPS replaces CHRIS I cleaned up the page
__middot----L------- 1-~umbE)~s____ ____L________ Sep 12 2013 I bull Employee database in Access dropped replaced by IS Beste
the Employee Log in the web app __j
----------------------------------------ii
Privacy Impact Assessment September 12 2013
Privacy Impact Assessment
Name of the Project Performance Measurement and Reporting System
Project JD PMRS
Legal Authority Government Performance and Results Act 1993 GPRA
Purpose ofthis System GPRA provides that agencies will have strategic plans with numeric performance targets It further provides that agencies shall report their progress against those goals with anditable figures PMRS is the system that collects and reports those auditable performance results at NARA
1 Overview of PMRS
11 A Data Warehouse
PMRS is a data warehouse application As such it has no data of its own Ratherit gathers data from 71 NARA sources for the purpose of combining and publishing them through a common user interface This is the big picture
Perfonnance Measurement and Reporting System
Overview
f -------------------middot---middot-middot-middotmiddot
Sources Everyone
Collect Data Store Publish on NARANET
PMRS pulls hundreds of data elements from these dataqases each month covering every aspect ofNARA operations Most of this has nothing to do with individuals or their privacy
~---------------------------- 1
Privacy Impact Assessment September 12 2013
12 Parts of PMRS Relevant to Privacy
The diagram below shows where personally-sensitive information resides in PMRS The dark background defines the boundary ofPMRS The colors pink and green show the two categories of data at Issue
bull Pink FOIA requests and written requests- data on requests for information from the public by FOIA or otherwise
bull Green Employee data
The rest of this assessment treats these two categories separately But understand how all the data flows into and out ofPMRS
Performance Measurement and Reporting System
Flow of Personal Information through PMRS
~ =Written request amp FOIA data
~ =Employee data
Staging Area
Everyone on NARANET
Human Capital
only
1 People enter data into source databases at left Normally source databases are the responsibility of their owners (CMRS SOFA FPPS ) The privacy impacts of those systems are not covered here We have one exception the PMRS web application is inside the PMRS boundary It is a source database that is also part of PMRS
2 Some databases are sent whole to PMRS each month For example NGC sends its entire FOIA-tracking database to the PMRS staging area every month
3 Other systems send only extracts With the exception of the extract from FPPS these extract databases do not contain data on individuals
4 The Performance and Accountability Staff (CP) stages everything All incoming data takes the form of a file in the PMRS staging folder
5 CP keeps a copy of every submission For data quality and audit purposes CP keeps a copy of every database it receives It does this by saving a copy of the staging area each month
6 CP loads the warehouse Except for employee data the warehouse contains no personally-identifiable information
---------------------------------------------------------2
Privacy Impact Assessment September 12 2013
7 CP publishes to everyone on NARANET This is the publication side ofPMRS It contains summary data only and no privacy data
8 CP publishes employee data to the Office ofHuman Capital (H) A small amount of personally-identifiable employee data goes to selected people in H for nse in workforce planning
13 Borderline Cases Not Discussed Further
In the interest of complete disclosure PMRS touches on two other categories ofpersonal information
131 Data Regarding Online Reproduction Orders
PMRS collects data on every reproduction order placed through SOFA However it collects only the fields below None of these identifies the requester or the subject of the request Therefore this data has no bearing on privacy and will not be discussed further
paynenlttYgte c~J = ~iied PM~~S~~stfoJIP~tiOil-d~ffufi~~Yi~l~~~-obullo s~rvic)ng part of th~ yvork ~low ~ ~-~-~--middot~--~
production part of the work fl_ow ready-for-ship111ent part of the wotJilt~~----
132 Employee Log-In Data
The PMRS web application is used by about 250 NARA employees Regarding these users the application stores
bull Their name bull Their organization code(s) bull Their NARANET login ID bull The date and time of their last login bull The user lD and a timestamp of the last change made to every row of data This information is
visible to any colleague who can see that row of data
This data is used to bull Restrict system access to registered users bull Restrict user access to just the logs and organizations they need bull Spot users who are inactive in the system (and who may therefore need to be dropped) bull Maintain accountability for the data by revealing who last changed it
This information is necessary for the reasonable functioning of the system No use is made of the data outside of the application It is not particularly sensitive Therefore this data will not be discussed further
---------------------------------------------------------3
Privacy Impact Assessment September 12 2013
2 Employee Data This diagram is an extract of the one on page 2 It shows just the data about employees
Performance Measurement and Reporting System
Employee Data in PMRS
cgt Employee data
Human Capital
only
21 Employee Information Being Collected
Employee data enters PMRS from two sources
bull FPPS the personnel system This is the major source Every month HTS ernails CP an extract from FPPS This is shown at left in the diagram above
bull PMRS Web App (Employee Log) This web log holds a list of employees and a checkmark from their manager as to whether they are eligible to telework or not
211 FPPS Extractaccdb
This is PMRS s receiving database for the extract coming from FPPS It is essentially an envelope for moving the data It has no queries for analyzing the data It has two tables for employees- one with identifYing information but no RN01 data and one with the reverse See the displays below
Employee Data with IDs - EMPLOYEE ID table
See the list of fields on the next page This is a table of all current employees plus those who departed within the last year The most sensitive fields are
bull NARA employee number
bull Employee name
1 RNO =Race and national origin
---------------------------------------------------------4
Privacy Impact Assessment September 12 2013
Desc-ription NAR0s unq_~e empo_yee__ dener~ _Swit~-~-froS~fl__ 1_hen CHRS__(an_give usseparati_onstJy_ emp_YmiddotI
__ _middot __middot_Last name and fi~~t n~me ofthe emP~Yee
OA -code~esignating schedule~ pay grades typica_y meanil_g_G~ ~-sect~_n_eral_ ~~-~d~_l_e _Level of th_e position _such _as_th_e ~13~ ~-~--_G~~-13
-~cc~pa~ifla__~i_~_cd _--~~~-Te~- A-code descnbmgthe kmd ofdutJesto bullNhchthe employee has heen ass1gne-d __supe_rrisorv__eve cd~~~middotmiddotmiddot~~-rext--~~~--- A_ code lldiCltJtingthe e_rnplox_e~~s_supervs_o_rY__rle ___ ~~~ _ ~~ ~~middotmiddotmiddot~~~~
Data Type
~
_laraog~d~----- ~~~~middot-~--~rext OrgCode from PRS faciltycd - ~~~Xt The dutynty code fr_9_m_CHRS_h_e personnel sy~em-~~~~~~~~-
p_~ii_o~-~itetxt ~~~~---- _________Te~~~~~ ltle__o_try_e_etlplot_~e~s_p~sitio~-- --middotmiddot- --~~---middot -~~~~~~~~~~ hire dt DateTime The -date the employ~s tenure at NARA officially began Dt EOD NARA
S~p~at_~n-~t rmiddot=l~tteplusmn_i~_e_ ~Ifl~_Jat_e-_th~e~e~p~eebulls~~~u~~ ~)~~~~A--~t-~icia~Hy~er~(jed__ ~tseilJ=aied~~-~ _)_(-_P1J__~ti_(t_l_r_east)_n__lt~ Text F~_r_n the__person ne_systert_t_a_ (())e 9~~-~-Ee~-~f n_ frfPl_oy__ee_l_e_ft__rl(R~
~~PP~~e~_td Text Acode indicating_the rule_underwhich_the _ _employ2~ ~-o-d~--~is pltJ~i_t_i_~n
_gen-d_~--~9 jText A code indicating the employees sex
pat-cob--cd Text A tde indicatingwhether the persons position_is_prof~ss_iiJ1_a __~l_~ca~ltlu~~11a_~~~
_~ppt_a_u_tl -_~_ Text 3 digit cccte that identifies an appointmentauthority
w-ork s-chedule-cd middotText Acode that distinguishes between fu~time__pa_~~ti_~~ in_t_Ermi_tt_fll_a_n_d s~asonaJ emplt_yenment --~~1i_~-n~__eiigi_bi_i_itY_~~ Joa_teTime The e-arliest data that this employee will be_eigibel_ ~eti_re- federal s-ervice st-artdt DateTime SCD (lea-e in CHRIS~ _lhis is the date ~o use__for__cak~l~_tiniYears-i~-~~~i-~ri~-~--~-- ~_i-~- yi_rltJ~(d_3_t_s_ ast r1otlon -~t middotDateTime The-d-ate of the employees last promotion_ Ifnone ~hen [hire dt]
retirement plan-~- Text The code that indicates which retirement plan applies to this employee
target grade nu~ Number The top grade level of the employees current career track
record status txt Text Status of the record as a result of the last update from the personnel system
ldpfg YesNo Yes= This employee has a Individual Development Plan approved-as being linked to strategic goals
jldp di Da~eTime Th~ date on whi-ch the employees Individual Development Plan W~s ap_pro~d as being linked to -~rat~ end of_ month idp dt DateTime As of end of last quarter The date o~ which the employees Individual Development Plan was approv
performance plan fg YesNo Yes=This employee has a current pertormance appraisal plan approved as belng inked to strategic goa
performance plan dt -------~-~ pcateTim_e The date on which the employees performance appraisal plan was approved as being inked to-strate_g ~end_of rl]Onth perf_or~~~~-~8t DBteTime~middot-- ~As of end of last ql_larter The date on_which th_e employe-es performance appraisal plan was approvec
new nara org cd middot----~-~--Text ~~~ Manually entered by the PMRS Administrator during times of reorganization when people have both o ica_ncel idp fg YesNo Temp data Yes Cancel the persons lOP in Employeemdb Incoming data shows a change in org pos
cancel performa~eyhm ~lg__ YesN==~ Te_mp-d3~a Yes carce-the person~s performance plan in Employeemd~ __ncoming ~ata shc~s a cha standard name ~-~-~-middot -~~middot Text ysed for_lnkingto data comingfrofl_l_ ET_~Ms to_da_ta ~rom CtJ_RS See the ETAMS import co-de
Employee Data with IDs - EMPLOYEE RNO table
This covers only current employees It is anonymized meaning that employee names and IDs are not in the table What remains is statistical information only particularly
bull Disability code
bull Selfdeclared race code
Employee RNO table
5
Privacy Impact Assessment September 122013
212 PMRS Web App (Employee Log)
This is where managers check off people as being eligible to telework or not It contains the minimum number of fields to support that function The list of employees gets updated by FPPS Extractaccdb every time it imports new data from FPPS
Beyond the corifluence ofemployee name and number this database has no sensitive data
Description
Ihernltgtnthand1earfltJr whic~middotligi~~tyajgtpl_ies
213 PMRS Warehouse
This is the heart of PMRS It stores data on all employees present and past with monthly snapshots of various properties such as their current grade and position title The database resides in SQL Server running on the PMRSprod Windows server Access is restricted to the PMRS Administrator
As with the feed files and FPPS Extractaccdb the warehouse segregates the employee data into two areas
bull Data with identifYing information but no RNO or disability information
bull The reverse Anonymized data with RNO and disability information
Tables with Identifiers
This is EMPLOYEE the parent table with one row for every employee past and present Sensitive fields are
bull NARA employee number
bull Employee name
Data Type
This is EMPLOYEE MONTH ID with one record for each employee each month It is child to EMPLOYEE with the link back being through [employee num] This contains no RNO data
---------------------------------------------------------------6
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
Privacy Impact Assessment
Name of the Project Performance Measurement and Reporting System
Project JD PMRS
Legal Authority Government Performance and Results Act 1993 GPRA
Purpose ofthis System GPRA provides that agencies will have strategic plans with numeric performance targets It further provides that agencies shall report their progress against those goals with anditable figures PMRS is the system that collects and reports those auditable performance results at NARA
1 Overview of PMRS
11 A Data Warehouse
PMRS is a data warehouse application As such it has no data of its own Ratherit gathers data from 71 NARA sources for the purpose of combining and publishing them through a common user interface This is the big picture
Perfonnance Measurement and Reporting System
Overview
f -------------------middot---middot-middot-middotmiddot
Sources Everyone
Collect Data Store Publish on NARANET
PMRS pulls hundreds of data elements from these dataqases each month covering every aspect ofNARA operations Most of this has nothing to do with individuals or their privacy
~---------------------------- 1
Privacy Impact Assessment September 12 2013
12 Parts of PMRS Relevant to Privacy
The diagram below shows where personally-sensitive information resides in PMRS The dark background defines the boundary ofPMRS The colors pink and green show the two categories of data at Issue
bull Pink FOIA requests and written requests- data on requests for information from the public by FOIA or otherwise
bull Green Employee data
The rest of this assessment treats these two categories separately But understand how all the data flows into and out ofPMRS
Performance Measurement and Reporting System
Flow of Personal Information through PMRS
~ =Written request amp FOIA data
~ =Employee data
Staging Area
Everyone on NARANET
Human Capital
only
1 People enter data into source databases at left Normally source databases are the responsibility of their owners (CMRS SOFA FPPS ) The privacy impacts of those systems are not covered here We have one exception the PMRS web application is inside the PMRS boundary It is a source database that is also part of PMRS
2 Some databases are sent whole to PMRS each month For example NGC sends its entire FOIA-tracking database to the PMRS staging area every month
3 Other systems send only extracts With the exception of the extract from FPPS these extract databases do not contain data on individuals
4 The Performance and Accountability Staff (CP) stages everything All incoming data takes the form of a file in the PMRS staging folder
5 CP keeps a copy of every submission For data quality and audit purposes CP keeps a copy of every database it receives It does this by saving a copy of the staging area each month
6 CP loads the warehouse Except for employee data the warehouse contains no personally-identifiable information
---------------------------------------------------------2
Privacy Impact Assessment September 12 2013
7 CP publishes to everyone on NARANET This is the publication side ofPMRS It contains summary data only and no privacy data
8 CP publishes employee data to the Office ofHuman Capital (H) A small amount of personally-identifiable employee data goes to selected people in H for nse in workforce planning
13 Borderline Cases Not Discussed Further
In the interest of complete disclosure PMRS touches on two other categories ofpersonal information
131 Data Regarding Online Reproduction Orders
PMRS collects data on every reproduction order placed through SOFA However it collects only the fields below None of these identifies the requester or the subject of the request Therefore this data has no bearing on privacy and will not be discussed further
paynenlttYgte c~J = ~iied PM~~S~~stfoJIP~tiOil-d~ffufi~~Yi~l~~~-obullo s~rvic)ng part of th~ yvork ~low ~ ~-~-~--middot~--~
production part of the work fl_ow ready-for-ship111ent part of the wotJilt~~----
132 Employee Log-In Data
The PMRS web application is used by about 250 NARA employees Regarding these users the application stores
bull Their name bull Their organization code(s) bull Their NARANET login ID bull The date and time of their last login bull The user lD and a timestamp of the last change made to every row of data This information is
visible to any colleague who can see that row of data
This data is used to bull Restrict system access to registered users bull Restrict user access to just the logs and organizations they need bull Spot users who are inactive in the system (and who may therefore need to be dropped) bull Maintain accountability for the data by revealing who last changed it
This information is necessary for the reasonable functioning of the system No use is made of the data outside of the application It is not particularly sensitive Therefore this data will not be discussed further
---------------------------------------------------------3
Privacy Impact Assessment September 12 2013
2 Employee Data This diagram is an extract of the one on page 2 It shows just the data about employees
Performance Measurement and Reporting System
Employee Data in PMRS
cgt Employee data
Human Capital
only
21 Employee Information Being Collected
Employee data enters PMRS from two sources
bull FPPS the personnel system This is the major source Every month HTS ernails CP an extract from FPPS This is shown at left in the diagram above
bull PMRS Web App (Employee Log) This web log holds a list of employees and a checkmark from their manager as to whether they are eligible to telework or not
211 FPPS Extractaccdb
This is PMRS s receiving database for the extract coming from FPPS It is essentially an envelope for moving the data It has no queries for analyzing the data It has two tables for employees- one with identifYing information but no RN01 data and one with the reverse See the displays below
Employee Data with IDs - EMPLOYEE ID table
See the list of fields on the next page This is a table of all current employees plus those who departed within the last year The most sensitive fields are
bull NARA employee number
bull Employee name
1 RNO =Race and national origin
---------------------------------------------------------4
Privacy Impact Assessment September 12 2013
Desc-ription NAR0s unq_~e empo_yee__ dener~ _Swit~-~-froS~fl__ 1_hen CHRS__(an_give usseparati_onstJy_ emp_YmiddotI
__ _middot __middot_Last name and fi~~t n~me ofthe emP~Yee
OA -code~esignating schedule~ pay grades typica_y meanil_g_G~ ~-sect~_n_eral_ ~~-~d~_l_e _Level of th_e position _such _as_th_e ~13~ ~-~--_G~~-13
-~cc~pa~ifla__~i_~_cd _--~~~-Te~- A-code descnbmgthe kmd ofdutJesto bullNhchthe employee has heen ass1gne-d __supe_rrisorv__eve cd~~~middotmiddotmiddot~~-rext--~~~--- A_ code lldiCltJtingthe e_rnplox_e~~s_supervs_o_rY__rle ___ ~~~ _ ~~ ~~middotmiddotmiddot~~~~
Data Type
~
_laraog~d~----- ~~~~middot-~--~rext OrgCode from PRS faciltycd - ~~~Xt The dutynty code fr_9_m_CHRS_h_e personnel sy~em-~~~~~~~~-
p_~ii_o~-~itetxt ~~~~---- _________Te~~~~~ ltle__o_try_e_etlplot_~e~s_p~sitio~-- --middotmiddot- --~~---middot -~~~~~~~~~~ hire dt DateTime The -date the employ~s tenure at NARA officially began Dt EOD NARA
S~p~at_~n-~t rmiddot=l~tteplusmn_i~_e_ ~Ifl~_Jat_e-_th~e~e~p~eebulls~~~u~~ ~)~~~~A--~t-~icia~Hy~er~(jed__ ~tseilJ=aied~~-~ _)_(-_P1J__~ti_(t_l_r_east)_n__lt~ Text F~_r_n the__person ne_systert_t_a_ (())e 9~~-~-Ee~-~f n_ frfPl_oy__ee_l_e_ft__rl(R~
~~PP~~e~_td Text Acode indicating_the rule_underwhich_the _ _employ2~ ~-o-d~--~is pltJ~i_t_i_~n
_gen-d_~--~9 jText A code indicating the employees sex
pat-cob--cd Text A tde indicatingwhether the persons position_is_prof~ss_iiJ1_a __~l_~ca~ltlu~~11a_~~~
_~ppt_a_u_tl -_~_ Text 3 digit cccte that identifies an appointmentauthority
w-ork s-chedule-cd middotText Acode that distinguishes between fu~time__pa_~~ti_~~ in_t_Ermi_tt_fll_a_n_d s~asonaJ emplt_yenment --~~1i_~-n~__eiigi_bi_i_itY_~~ Joa_teTime The e-arliest data that this employee will be_eigibel_ ~eti_re- federal s-ervice st-artdt DateTime SCD (lea-e in CHRIS~ _lhis is the date ~o use__for__cak~l~_tiniYears-i~-~~~i-~ri~-~--~-- ~_i-~- yi_rltJ~(d_3_t_s_ ast r1otlon -~t middotDateTime The-d-ate of the employees last promotion_ Ifnone ~hen [hire dt]
retirement plan-~- Text The code that indicates which retirement plan applies to this employee
target grade nu~ Number The top grade level of the employees current career track
record status txt Text Status of the record as a result of the last update from the personnel system
ldpfg YesNo Yes= This employee has a Individual Development Plan approved-as being linked to strategic goals
jldp di Da~eTime Th~ date on whi-ch the employees Individual Development Plan W~s ap_pro~d as being linked to -~rat~ end of_ month idp dt DateTime As of end of last quarter The date o~ which the employees Individual Development Plan was approv
performance plan fg YesNo Yes=This employee has a current pertormance appraisal plan approved as belng inked to strategic goa
performance plan dt -------~-~ pcateTim_e The date on which the employees performance appraisal plan was approved as being inked to-strate_g ~end_of rl]Onth perf_or~~~~-~8t DBteTime~middot-- ~As of end of last ql_larter The date on_which th_e employe-es performance appraisal plan was approvec
new nara org cd middot----~-~--Text ~~~ Manually entered by the PMRS Administrator during times of reorganization when people have both o ica_ncel idp fg YesNo Temp data Yes Cancel the persons lOP in Employeemdb Incoming data shows a change in org pos
cancel performa~eyhm ~lg__ YesN==~ Te_mp-d3~a Yes carce-the person~s performance plan in Employeemd~ __ncoming ~ata shc~s a cha standard name ~-~-~-middot -~~middot Text ysed for_lnkingto data comingfrofl_l_ ET_~Ms to_da_ta ~rom CtJ_RS See the ETAMS import co-de
Employee Data with IDs - EMPLOYEE RNO table
This covers only current employees It is anonymized meaning that employee names and IDs are not in the table What remains is statistical information only particularly
bull Disability code
bull Selfdeclared race code
Employee RNO table
5
Privacy Impact Assessment September 122013
212 PMRS Web App (Employee Log)
This is where managers check off people as being eligible to telework or not It contains the minimum number of fields to support that function The list of employees gets updated by FPPS Extractaccdb every time it imports new data from FPPS
Beyond the corifluence ofemployee name and number this database has no sensitive data
Description
Ihernltgtnthand1earfltJr whic~middotligi~~tyajgtpl_ies
213 PMRS Warehouse
This is the heart of PMRS It stores data on all employees present and past with monthly snapshots of various properties such as their current grade and position title The database resides in SQL Server running on the PMRSprod Windows server Access is restricted to the PMRS Administrator
As with the feed files and FPPS Extractaccdb the warehouse segregates the employee data into two areas
bull Data with identifYing information but no RNO or disability information
bull The reverse Anonymized data with RNO and disability information
Tables with Identifiers
This is EMPLOYEE the parent table with one row for every employee past and present Sensitive fields are
bull NARA employee number
bull Employee name
Data Type
This is EMPLOYEE MONTH ID with one record for each employee each month It is child to EMPLOYEE with the link back being through [employee num] This contains no RNO data
---------------------------------------------------------------6
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
12 Parts of PMRS Relevant to Privacy
The diagram below shows where personally-sensitive information resides in PMRS The dark background defines the boundary ofPMRS The colors pink and green show the two categories of data at Issue
bull Pink FOIA requests and written requests- data on requests for information from the public by FOIA or otherwise
bull Green Employee data
The rest of this assessment treats these two categories separately But understand how all the data flows into and out ofPMRS
Performance Measurement and Reporting System
Flow of Personal Information through PMRS
~ =Written request amp FOIA data
~ =Employee data
Staging Area
Everyone on NARANET
Human Capital
only
1 People enter data into source databases at left Normally source databases are the responsibility of their owners (CMRS SOFA FPPS ) The privacy impacts of those systems are not covered here We have one exception the PMRS web application is inside the PMRS boundary It is a source database that is also part of PMRS
2 Some databases are sent whole to PMRS each month For example NGC sends its entire FOIA-tracking database to the PMRS staging area every month
3 Other systems send only extracts With the exception of the extract from FPPS these extract databases do not contain data on individuals
4 The Performance and Accountability Staff (CP) stages everything All incoming data takes the form of a file in the PMRS staging folder
5 CP keeps a copy of every submission For data quality and audit purposes CP keeps a copy of every database it receives It does this by saving a copy of the staging area each month
6 CP loads the warehouse Except for employee data the warehouse contains no personally-identifiable information
---------------------------------------------------------2
Privacy Impact Assessment September 12 2013
7 CP publishes to everyone on NARANET This is the publication side ofPMRS It contains summary data only and no privacy data
8 CP publishes employee data to the Office ofHuman Capital (H) A small amount of personally-identifiable employee data goes to selected people in H for nse in workforce planning
13 Borderline Cases Not Discussed Further
In the interest of complete disclosure PMRS touches on two other categories ofpersonal information
131 Data Regarding Online Reproduction Orders
PMRS collects data on every reproduction order placed through SOFA However it collects only the fields below None of these identifies the requester or the subject of the request Therefore this data has no bearing on privacy and will not be discussed further
paynenlttYgte c~J = ~iied PM~~S~~stfoJIP~tiOil-d~ffufi~~Yi~l~~~-obullo s~rvic)ng part of th~ yvork ~low ~ ~-~-~--middot~--~
production part of the work fl_ow ready-for-ship111ent part of the wotJilt~~----
132 Employee Log-In Data
The PMRS web application is used by about 250 NARA employees Regarding these users the application stores
bull Their name bull Their organization code(s) bull Their NARANET login ID bull The date and time of their last login bull The user lD and a timestamp of the last change made to every row of data This information is
visible to any colleague who can see that row of data
This data is used to bull Restrict system access to registered users bull Restrict user access to just the logs and organizations they need bull Spot users who are inactive in the system (and who may therefore need to be dropped) bull Maintain accountability for the data by revealing who last changed it
This information is necessary for the reasonable functioning of the system No use is made of the data outside of the application It is not particularly sensitive Therefore this data will not be discussed further
---------------------------------------------------------3
Privacy Impact Assessment September 12 2013
2 Employee Data This diagram is an extract of the one on page 2 It shows just the data about employees
Performance Measurement and Reporting System
Employee Data in PMRS
cgt Employee data
Human Capital
only
21 Employee Information Being Collected
Employee data enters PMRS from two sources
bull FPPS the personnel system This is the major source Every month HTS ernails CP an extract from FPPS This is shown at left in the diagram above
bull PMRS Web App (Employee Log) This web log holds a list of employees and a checkmark from their manager as to whether they are eligible to telework or not
211 FPPS Extractaccdb
This is PMRS s receiving database for the extract coming from FPPS It is essentially an envelope for moving the data It has no queries for analyzing the data It has two tables for employees- one with identifYing information but no RN01 data and one with the reverse See the displays below
Employee Data with IDs - EMPLOYEE ID table
See the list of fields on the next page This is a table of all current employees plus those who departed within the last year The most sensitive fields are
bull NARA employee number
bull Employee name
1 RNO =Race and national origin
---------------------------------------------------------4
Privacy Impact Assessment September 12 2013
Desc-ription NAR0s unq_~e empo_yee__ dener~ _Swit~-~-froS~fl__ 1_hen CHRS__(an_give usseparati_onstJy_ emp_YmiddotI
__ _middot __middot_Last name and fi~~t n~me ofthe emP~Yee
OA -code~esignating schedule~ pay grades typica_y meanil_g_G~ ~-sect~_n_eral_ ~~-~d~_l_e _Level of th_e position _such _as_th_e ~13~ ~-~--_G~~-13
-~cc~pa~ifla__~i_~_cd _--~~~-Te~- A-code descnbmgthe kmd ofdutJesto bullNhchthe employee has heen ass1gne-d __supe_rrisorv__eve cd~~~middotmiddotmiddot~~-rext--~~~--- A_ code lldiCltJtingthe e_rnplox_e~~s_supervs_o_rY__rle ___ ~~~ _ ~~ ~~middotmiddotmiddot~~~~
Data Type
~
_laraog~d~----- ~~~~middot-~--~rext OrgCode from PRS faciltycd - ~~~Xt The dutynty code fr_9_m_CHRS_h_e personnel sy~em-~~~~~~~~-
p_~ii_o~-~itetxt ~~~~---- _________Te~~~~~ ltle__o_try_e_etlplot_~e~s_p~sitio~-- --middotmiddot- --~~---middot -~~~~~~~~~~ hire dt DateTime The -date the employ~s tenure at NARA officially began Dt EOD NARA
S~p~at_~n-~t rmiddot=l~tteplusmn_i~_e_ ~Ifl~_Jat_e-_th~e~e~p~eebulls~~~u~~ ~)~~~~A--~t-~icia~Hy~er~(jed__ ~tseilJ=aied~~-~ _)_(-_P1J__~ti_(t_l_r_east)_n__lt~ Text F~_r_n the__person ne_systert_t_a_ (())e 9~~-~-Ee~-~f n_ frfPl_oy__ee_l_e_ft__rl(R~
~~PP~~e~_td Text Acode indicating_the rule_underwhich_the _ _employ2~ ~-o-d~--~is pltJ~i_t_i_~n
_gen-d_~--~9 jText A code indicating the employees sex
pat-cob--cd Text A tde indicatingwhether the persons position_is_prof~ss_iiJ1_a __~l_~ca~ltlu~~11a_~~~
_~ppt_a_u_tl -_~_ Text 3 digit cccte that identifies an appointmentauthority
w-ork s-chedule-cd middotText Acode that distinguishes between fu~time__pa_~~ti_~~ in_t_Ermi_tt_fll_a_n_d s~asonaJ emplt_yenment --~~1i_~-n~__eiigi_bi_i_itY_~~ Joa_teTime The e-arliest data that this employee will be_eigibel_ ~eti_re- federal s-ervice st-artdt DateTime SCD (lea-e in CHRIS~ _lhis is the date ~o use__for__cak~l~_tiniYears-i~-~~~i-~ri~-~--~-- ~_i-~- yi_rltJ~(d_3_t_s_ ast r1otlon -~t middotDateTime The-d-ate of the employees last promotion_ Ifnone ~hen [hire dt]
retirement plan-~- Text The code that indicates which retirement plan applies to this employee
target grade nu~ Number The top grade level of the employees current career track
record status txt Text Status of the record as a result of the last update from the personnel system
ldpfg YesNo Yes= This employee has a Individual Development Plan approved-as being linked to strategic goals
jldp di Da~eTime Th~ date on whi-ch the employees Individual Development Plan W~s ap_pro~d as being linked to -~rat~ end of_ month idp dt DateTime As of end of last quarter The date o~ which the employees Individual Development Plan was approv
performance plan fg YesNo Yes=This employee has a current pertormance appraisal plan approved as belng inked to strategic goa
performance plan dt -------~-~ pcateTim_e The date on which the employees performance appraisal plan was approved as being inked to-strate_g ~end_of rl]Onth perf_or~~~~-~8t DBteTime~middot-- ~As of end of last ql_larter The date on_which th_e employe-es performance appraisal plan was approvec
new nara org cd middot----~-~--Text ~~~ Manually entered by the PMRS Administrator during times of reorganization when people have both o ica_ncel idp fg YesNo Temp data Yes Cancel the persons lOP in Employeemdb Incoming data shows a change in org pos
cancel performa~eyhm ~lg__ YesN==~ Te_mp-d3~a Yes carce-the person~s performance plan in Employeemd~ __ncoming ~ata shc~s a cha standard name ~-~-~-middot -~~middot Text ysed for_lnkingto data comingfrofl_l_ ET_~Ms to_da_ta ~rom CtJ_RS See the ETAMS import co-de
Employee Data with IDs - EMPLOYEE RNO table
This covers only current employees It is anonymized meaning that employee names and IDs are not in the table What remains is statistical information only particularly
bull Disability code
bull Selfdeclared race code
Employee RNO table
5
Privacy Impact Assessment September 122013
212 PMRS Web App (Employee Log)
This is where managers check off people as being eligible to telework or not It contains the minimum number of fields to support that function The list of employees gets updated by FPPS Extractaccdb every time it imports new data from FPPS
Beyond the corifluence ofemployee name and number this database has no sensitive data
Description
Ihernltgtnthand1earfltJr whic~middotligi~~tyajgtpl_ies
213 PMRS Warehouse
This is the heart of PMRS It stores data on all employees present and past with monthly snapshots of various properties such as their current grade and position title The database resides in SQL Server running on the PMRSprod Windows server Access is restricted to the PMRS Administrator
As with the feed files and FPPS Extractaccdb the warehouse segregates the employee data into two areas
bull Data with identifYing information but no RNO or disability information
bull The reverse Anonymized data with RNO and disability information
Tables with Identifiers
This is EMPLOYEE the parent table with one row for every employee past and present Sensitive fields are
bull NARA employee number
bull Employee name
Data Type
This is EMPLOYEE MONTH ID with one record for each employee each month It is child to EMPLOYEE with the link back being through [employee num] This contains no RNO data
---------------------------------------------------------------6
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
7 CP publishes to everyone on NARANET This is the publication side ofPMRS It contains summary data only and no privacy data
8 CP publishes employee data to the Office ofHuman Capital (H) A small amount of personally-identifiable employee data goes to selected people in H for nse in workforce planning
13 Borderline Cases Not Discussed Further
In the interest of complete disclosure PMRS touches on two other categories ofpersonal information
131 Data Regarding Online Reproduction Orders
PMRS collects data on every reproduction order placed through SOFA However it collects only the fields below None of these identifies the requester or the subject of the request Therefore this data has no bearing on privacy and will not be discussed further
paynenlttYgte c~J = ~iied PM~~S~~stfoJIP~tiOil-d~ffufi~~Yi~l~~~-obullo s~rvic)ng part of th~ yvork ~low ~ ~-~-~--middot~--~
production part of the work fl_ow ready-for-ship111ent part of the wotJilt~~----
132 Employee Log-In Data
The PMRS web application is used by about 250 NARA employees Regarding these users the application stores
bull Their name bull Their organization code(s) bull Their NARANET login ID bull The date and time of their last login bull The user lD and a timestamp of the last change made to every row of data This information is
visible to any colleague who can see that row of data
This data is used to bull Restrict system access to registered users bull Restrict user access to just the logs and organizations they need bull Spot users who are inactive in the system (and who may therefore need to be dropped) bull Maintain accountability for the data by revealing who last changed it
This information is necessary for the reasonable functioning of the system No use is made of the data outside of the application It is not particularly sensitive Therefore this data will not be discussed further
---------------------------------------------------------3
Privacy Impact Assessment September 12 2013
2 Employee Data This diagram is an extract of the one on page 2 It shows just the data about employees
Performance Measurement and Reporting System
Employee Data in PMRS
cgt Employee data
Human Capital
only
21 Employee Information Being Collected
Employee data enters PMRS from two sources
bull FPPS the personnel system This is the major source Every month HTS ernails CP an extract from FPPS This is shown at left in the diagram above
bull PMRS Web App (Employee Log) This web log holds a list of employees and a checkmark from their manager as to whether they are eligible to telework or not
211 FPPS Extractaccdb
This is PMRS s receiving database for the extract coming from FPPS It is essentially an envelope for moving the data It has no queries for analyzing the data It has two tables for employees- one with identifYing information but no RN01 data and one with the reverse See the displays below
Employee Data with IDs - EMPLOYEE ID table
See the list of fields on the next page This is a table of all current employees plus those who departed within the last year The most sensitive fields are
bull NARA employee number
bull Employee name
1 RNO =Race and national origin
---------------------------------------------------------4
Privacy Impact Assessment September 12 2013
Desc-ription NAR0s unq_~e empo_yee__ dener~ _Swit~-~-froS~fl__ 1_hen CHRS__(an_give usseparati_onstJy_ emp_YmiddotI
__ _middot __middot_Last name and fi~~t n~me ofthe emP~Yee
OA -code~esignating schedule~ pay grades typica_y meanil_g_G~ ~-sect~_n_eral_ ~~-~d~_l_e _Level of th_e position _such _as_th_e ~13~ ~-~--_G~~-13
-~cc~pa~ifla__~i_~_cd _--~~~-Te~- A-code descnbmgthe kmd ofdutJesto bullNhchthe employee has heen ass1gne-d __supe_rrisorv__eve cd~~~middotmiddotmiddot~~-rext--~~~--- A_ code lldiCltJtingthe e_rnplox_e~~s_supervs_o_rY__rle ___ ~~~ _ ~~ ~~middotmiddotmiddot~~~~
Data Type
~
_laraog~d~----- ~~~~middot-~--~rext OrgCode from PRS faciltycd - ~~~Xt The dutynty code fr_9_m_CHRS_h_e personnel sy~em-~~~~~~~~-
p_~ii_o~-~itetxt ~~~~---- _________Te~~~~~ ltle__o_try_e_etlplot_~e~s_p~sitio~-- --middotmiddot- --~~---middot -~~~~~~~~~~ hire dt DateTime The -date the employ~s tenure at NARA officially began Dt EOD NARA
S~p~at_~n-~t rmiddot=l~tteplusmn_i~_e_ ~Ifl~_Jat_e-_th~e~e~p~eebulls~~~u~~ ~)~~~~A--~t-~icia~Hy~er~(jed__ ~tseilJ=aied~~-~ _)_(-_P1J__~ti_(t_l_r_east)_n__lt~ Text F~_r_n the__person ne_systert_t_a_ (())e 9~~-~-Ee~-~f n_ frfPl_oy__ee_l_e_ft__rl(R~
~~PP~~e~_td Text Acode indicating_the rule_underwhich_the _ _employ2~ ~-o-d~--~is pltJ~i_t_i_~n
_gen-d_~--~9 jText A code indicating the employees sex
pat-cob--cd Text A tde indicatingwhether the persons position_is_prof~ss_iiJ1_a __~l_~ca~ltlu~~11a_~~~
_~ppt_a_u_tl -_~_ Text 3 digit cccte that identifies an appointmentauthority
w-ork s-chedule-cd middotText Acode that distinguishes between fu~time__pa_~~ti_~~ in_t_Ermi_tt_fll_a_n_d s~asonaJ emplt_yenment --~~1i_~-n~__eiigi_bi_i_itY_~~ Joa_teTime The e-arliest data that this employee will be_eigibel_ ~eti_re- federal s-ervice st-artdt DateTime SCD (lea-e in CHRIS~ _lhis is the date ~o use__for__cak~l~_tiniYears-i~-~~~i-~ri~-~--~-- ~_i-~- yi_rltJ~(d_3_t_s_ ast r1otlon -~t middotDateTime The-d-ate of the employees last promotion_ Ifnone ~hen [hire dt]
retirement plan-~- Text The code that indicates which retirement plan applies to this employee
target grade nu~ Number The top grade level of the employees current career track
record status txt Text Status of the record as a result of the last update from the personnel system
ldpfg YesNo Yes= This employee has a Individual Development Plan approved-as being linked to strategic goals
jldp di Da~eTime Th~ date on whi-ch the employees Individual Development Plan W~s ap_pro~d as being linked to -~rat~ end of_ month idp dt DateTime As of end of last quarter The date o~ which the employees Individual Development Plan was approv
performance plan fg YesNo Yes=This employee has a current pertormance appraisal plan approved as belng inked to strategic goa
performance plan dt -------~-~ pcateTim_e The date on which the employees performance appraisal plan was approved as being inked to-strate_g ~end_of rl]Onth perf_or~~~~-~8t DBteTime~middot-- ~As of end of last ql_larter The date on_which th_e employe-es performance appraisal plan was approvec
new nara org cd middot----~-~--Text ~~~ Manually entered by the PMRS Administrator during times of reorganization when people have both o ica_ncel idp fg YesNo Temp data Yes Cancel the persons lOP in Employeemdb Incoming data shows a change in org pos
cancel performa~eyhm ~lg__ YesN==~ Te_mp-d3~a Yes carce-the person~s performance plan in Employeemd~ __ncoming ~ata shc~s a cha standard name ~-~-~-middot -~~middot Text ysed for_lnkingto data comingfrofl_l_ ET_~Ms to_da_ta ~rom CtJ_RS See the ETAMS import co-de
Employee Data with IDs - EMPLOYEE RNO table
This covers only current employees It is anonymized meaning that employee names and IDs are not in the table What remains is statistical information only particularly
bull Disability code
bull Selfdeclared race code
Employee RNO table
5
Privacy Impact Assessment September 122013
212 PMRS Web App (Employee Log)
This is where managers check off people as being eligible to telework or not It contains the minimum number of fields to support that function The list of employees gets updated by FPPS Extractaccdb every time it imports new data from FPPS
Beyond the corifluence ofemployee name and number this database has no sensitive data
Description
Ihernltgtnthand1earfltJr whic~middotligi~~tyajgtpl_ies
213 PMRS Warehouse
This is the heart of PMRS It stores data on all employees present and past with monthly snapshots of various properties such as their current grade and position title The database resides in SQL Server running on the PMRSprod Windows server Access is restricted to the PMRS Administrator
As with the feed files and FPPS Extractaccdb the warehouse segregates the employee data into two areas
bull Data with identifYing information but no RNO or disability information
bull The reverse Anonymized data with RNO and disability information
Tables with Identifiers
This is EMPLOYEE the parent table with one row for every employee past and present Sensitive fields are
bull NARA employee number
bull Employee name
Data Type
This is EMPLOYEE MONTH ID with one record for each employee each month It is child to EMPLOYEE with the link back being through [employee num] This contains no RNO data
---------------------------------------------------------------6
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
2 Employee Data This diagram is an extract of the one on page 2 It shows just the data about employees
Performance Measurement and Reporting System
Employee Data in PMRS
cgt Employee data
Human Capital
only
21 Employee Information Being Collected
Employee data enters PMRS from two sources
bull FPPS the personnel system This is the major source Every month HTS ernails CP an extract from FPPS This is shown at left in the diagram above
bull PMRS Web App (Employee Log) This web log holds a list of employees and a checkmark from their manager as to whether they are eligible to telework or not
211 FPPS Extractaccdb
This is PMRS s receiving database for the extract coming from FPPS It is essentially an envelope for moving the data It has no queries for analyzing the data It has two tables for employees- one with identifYing information but no RN01 data and one with the reverse See the displays below
Employee Data with IDs - EMPLOYEE ID table
See the list of fields on the next page This is a table of all current employees plus those who departed within the last year The most sensitive fields are
bull NARA employee number
bull Employee name
1 RNO =Race and national origin
---------------------------------------------------------4
Privacy Impact Assessment September 12 2013
Desc-ription NAR0s unq_~e empo_yee__ dener~ _Swit~-~-froS~fl__ 1_hen CHRS__(an_give usseparati_onstJy_ emp_YmiddotI
__ _middot __middot_Last name and fi~~t n~me ofthe emP~Yee
OA -code~esignating schedule~ pay grades typica_y meanil_g_G~ ~-sect~_n_eral_ ~~-~d~_l_e _Level of th_e position _such _as_th_e ~13~ ~-~--_G~~-13
-~cc~pa~ifla__~i_~_cd _--~~~-Te~- A-code descnbmgthe kmd ofdutJesto bullNhchthe employee has heen ass1gne-d __supe_rrisorv__eve cd~~~middotmiddotmiddot~~-rext--~~~--- A_ code lldiCltJtingthe e_rnplox_e~~s_supervs_o_rY__rle ___ ~~~ _ ~~ ~~middotmiddotmiddot~~~~
Data Type
~
_laraog~d~----- ~~~~middot-~--~rext OrgCode from PRS faciltycd - ~~~Xt The dutynty code fr_9_m_CHRS_h_e personnel sy~em-~~~~~~~~-
p_~ii_o~-~itetxt ~~~~---- _________Te~~~~~ ltle__o_try_e_etlplot_~e~s_p~sitio~-- --middotmiddot- --~~---middot -~~~~~~~~~~ hire dt DateTime The -date the employ~s tenure at NARA officially began Dt EOD NARA
S~p~at_~n-~t rmiddot=l~tteplusmn_i~_e_ ~Ifl~_Jat_e-_th~e~e~p~eebulls~~~u~~ ~)~~~~A--~t-~icia~Hy~er~(jed__ ~tseilJ=aied~~-~ _)_(-_P1J__~ti_(t_l_r_east)_n__lt~ Text F~_r_n the__person ne_systert_t_a_ (())e 9~~-~-Ee~-~f n_ frfPl_oy__ee_l_e_ft__rl(R~
~~PP~~e~_td Text Acode indicating_the rule_underwhich_the _ _employ2~ ~-o-d~--~is pltJ~i_t_i_~n
_gen-d_~--~9 jText A code indicating the employees sex
pat-cob--cd Text A tde indicatingwhether the persons position_is_prof~ss_iiJ1_a __~l_~ca~ltlu~~11a_~~~
_~ppt_a_u_tl -_~_ Text 3 digit cccte that identifies an appointmentauthority
w-ork s-chedule-cd middotText Acode that distinguishes between fu~time__pa_~~ti_~~ in_t_Ermi_tt_fll_a_n_d s~asonaJ emplt_yenment --~~1i_~-n~__eiigi_bi_i_itY_~~ Joa_teTime The e-arliest data that this employee will be_eigibel_ ~eti_re- federal s-ervice st-artdt DateTime SCD (lea-e in CHRIS~ _lhis is the date ~o use__for__cak~l~_tiniYears-i~-~~~i-~ri~-~--~-- ~_i-~- yi_rltJ~(d_3_t_s_ ast r1otlon -~t middotDateTime The-d-ate of the employees last promotion_ Ifnone ~hen [hire dt]
retirement plan-~- Text The code that indicates which retirement plan applies to this employee
target grade nu~ Number The top grade level of the employees current career track
record status txt Text Status of the record as a result of the last update from the personnel system
ldpfg YesNo Yes= This employee has a Individual Development Plan approved-as being linked to strategic goals
jldp di Da~eTime Th~ date on whi-ch the employees Individual Development Plan W~s ap_pro~d as being linked to -~rat~ end of_ month idp dt DateTime As of end of last quarter The date o~ which the employees Individual Development Plan was approv
performance plan fg YesNo Yes=This employee has a current pertormance appraisal plan approved as belng inked to strategic goa
performance plan dt -------~-~ pcateTim_e The date on which the employees performance appraisal plan was approved as being inked to-strate_g ~end_of rl]Onth perf_or~~~~-~8t DBteTime~middot-- ~As of end of last ql_larter The date on_which th_e employe-es performance appraisal plan was approvec
new nara org cd middot----~-~--Text ~~~ Manually entered by the PMRS Administrator during times of reorganization when people have both o ica_ncel idp fg YesNo Temp data Yes Cancel the persons lOP in Employeemdb Incoming data shows a change in org pos
cancel performa~eyhm ~lg__ YesN==~ Te_mp-d3~a Yes carce-the person~s performance plan in Employeemd~ __ncoming ~ata shc~s a cha standard name ~-~-~-middot -~~middot Text ysed for_lnkingto data comingfrofl_l_ ET_~Ms to_da_ta ~rom CtJ_RS See the ETAMS import co-de
Employee Data with IDs - EMPLOYEE RNO table
This covers only current employees It is anonymized meaning that employee names and IDs are not in the table What remains is statistical information only particularly
bull Disability code
bull Selfdeclared race code
Employee RNO table
5
Privacy Impact Assessment September 122013
212 PMRS Web App (Employee Log)
This is where managers check off people as being eligible to telework or not It contains the minimum number of fields to support that function The list of employees gets updated by FPPS Extractaccdb every time it imports new data from FPPS
Beyond the corifluence ofemployee name and number this database has no sensitive data
Description
Ihernltgtnthand1earfltJr whic~middotligi~~tyajgtpl_ies
213 PMRS Warehouse
This is the heart of PMRS It stores data on all employees present and past with monthly snapshots of various properties such as their current grade and position title The database resides in SQL Server running on the PMRSprod Windows server Access is restricted to the PMRS Administrator
As with the feed files and FPPS Extractaccdb the warehouse segregates the employee data into two areas
bull Data with identifYing information but no RNO or disability information
bull The reverse Anonymized data with RNO and disability information
Tables with Identifiers
This is EMPLOYEE the parent table with one row for every employee past and present Sensitive fields are
bull NARA employee number
bull Employee name
Data Type
This is EMPLOYEE MONTH ID with one record for each employee each month It is child to EMPLOYEE with the link back being through [employee num] This contains no RNO data
---------------------------------------------------------------6
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
Desc-ription NAR0s unq_~e empo_yee__ dener~ _Swit~-~-froS~fl__ 1_hen CHRS__(an_give usseparati_onstJy_ emp_YmiddotI
__ _middot __middot_Last name and fi~~t n~me ofthe emP~Yee
OA -code~esignating schedule~ pay grades typica_y meanil_g_G~ ~-sect~_n_eral_ ~~-~d~_l_e _Level of th_e position _such _as_th_e ~13~ ~-~--_G~~-13
-~cc~pa~ifla__~i_~_cd _--~~~-Te~- A-code descnbmgthe kmd ofdutJesto bullNhchthe employee has heen ass1gne-d __supe_rrisorv__eve cd~~~middotmiddotmiddot~~-rext--~~~--- A_ code lldiCltJtingthe e_rnplox_e~~s_supervs_o_rY__rle ___ ~~~ _ ~~ ~~middotmiddotmiddot~~~~
Data Type
~
_laraog~d~----- ~~~~middot-~--~rext OrgCode from PRS faciltycd - ~~~Xt The dutynty code fr_9_m_CHRS_h_e personnel sy~em-~~~~~~~~-
p_~ii_o~-~itetxt ~~~~---- _________Te~~~~~ ltle__o_try_e_etlplot_~e~s_p~sitio~-- --middotmiddot- --~~---middot -~~~~~~~~~~ hire dt DateTime The -date the employ~s tenure at NARA officially began Dt EOD NARA
S~p~at_~n-~t rmiddot=l~tteplusmn_i~_e_ ~Ifl~_Jat_e-_th~e~e~p~eebulls~~~u~~ ~)~~~~A--~t-~icia~Hy~er~(jed__ ~tseilJ=aied~~-~ _)_(-_P1J__~ti_(t_l_r_east)_n__lt~ Text F~_r_n the__person ne_systert_t_a_ (())e 9~~-~-Ee~-~f n_ frfPl_oy__ee_l_e_ft__rl(R~
~~PP~~e~_td Text Acode indicating_the rule_underwhich_the _ _employ2~ ~-o-d~--~is pltJ~i_t_i_~n
_gen-d_~--~9 jText A code indicating the employees sex
pat-cob--cd Text A tde indicatingwhether the persons position_is_prof~ss_iiJ1_a __~l_~ca~ltlu~~11a_~~~
_~ppt_a_u_tl -_~_ Text 3 digit cccte that identifies an appointmentauthority
w-ork s-chedule-cd middotText Acode that distinguishes between fu~time__pa_~~ti_~~ in_t_Ermi_tt_fll_a_n_d s~asonaJ emplt_yenment --~~1i_~-n~__eiigi_bi_i_itY_~~ Joa_teTime The e-arliest data that this employee will be_eigibel_ ~eti_re- federal s-ervice st-artdt DateTime SCD (lea-e in CHRIS~ _lhis is the date ~o use__for__cak~l~_tiniYears-i~-~~~i-~ri~-~--~-- ~_i-~- yi_rltJ~(d_3_t_s_ ast r1otlon -~t middotDateTime The-d-ate of the employees last promotion_ Ifnone ~hen [hire dt]
retirement plan-~- Text The code that indicates which retirement plan applies to this employee
target grade nu~ Number The top grade level of the employees current career track
record status txt Text Status of the record as a result of the last update from the personnel system
ldpfg YesNo Yes= This employee has a Individual Development Plan approved-as being linked to strategic goals
jldp di Da~eTime Th~ date on whi-ch the employees Individual Development Plan W~s ap_pro~d as being linked to -~rat~ end of_ month idp dt DateTime As of end of last quarter The date o~ which the employees Individual Development Plan was approv
performance plan fg YesNo Yes=This employee has a current pertormance appraisal plan approved as belng inked to strategic goa
performance plan dt -------~-~ pcateTim_e The date on which the employees performance appraisal plan was approved as being inked to-strate_g ~end_of rl]Onth perf_or~~~~-~8t DBteTime~middot-- ~As of end of last ql_larter The date on_which th_e employe-es performance appraisal plan was approvec
new nara org cd middot----~-~--Text ~~~ Manually entered by the PMRS Administrator during times of reorganization when people have both o ica_ncel idp fg YesNo Temp data Yes Cancel the persons lOP in Employeemdb Incoming data shows a change in org pos
cancel performa~eyhm ~lg__ YesN==~ Te_mp-d3~a Yes carce-the person~s performance plan in Employeemd~ __ncoming ~ata shc~s a cha standard name ~-~-~-middot -~~middot Text ysed for_lnkingto data comingfrofl_l_ ET_~Ms to_da_ta ~rom CtJ_RS See the ETAMS import co-de
Employee Data with IDs - EMPLOYEE RNO table
This covers only current employees It is anonymized meaning that employee names and IDs are not in the table What remains is statistical information only particularly
bull Disability code
bull Selfdeclared race code
Employee RNO table
5
Privacy Impact Assessment September 122013
212 PMRS Web App (Employee Log)
This is where managers check off people as being eligible to telework or not It contains the minimum number of fields to support that function The list of employees gets updated by FPPS Extractaccdb every time it imports new data from FPPS
Beyond the corifluence ofemployee name and number this database has no sensitive data
Description
Ihernltgtnthand1earfltJr whic~middotligi~~tyajgtpl_ies
213 PMRS Warehouse
This is the heart of PMRS It stores data on all employees present and past with monthly snapshots of various properties such as their current grade and position title The database resides in SQL Server running on the PMRSprod Windows server Access is restricted to the PMRS Administrator
As with the feed files and FPPS Extractaccdb the warehouse segregates the employee data into two areas
bull Data with identifYing information but no RNO or disability information
bull The reverse Anonymized data with RNO and disability information
Tables with Identifiers
This is EMPLOYEE the parent table with one row for every employee past and present Sensitive fields are
bull NARA employee number
bull Employee name
Data Type
This is EMPLOYEE MONTH ID with one record for each employee each month It is child to EMPLOYEE with the link back being through [employee num] This contains no RNO data
---------------------------------------------------------------6
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 122013
212 PMRS Web App (Employee Log)
This is where managers check off people as being eligible to telework or not It contains the minimum number of fields to support that function The list of employees gets updated by FPPS Extractaccdb every time it imports new data from FPPS
Beyond the corifluence ofemployee name and number this database has no sensitive data
Description
Ihernltgtnthand1earfltJr whic~middotligi~~tyajgtpl_ies
213 PMRS Warehouse
This is the heart of PMRS It stores data on all employees present and past with monthly snapshots of various properties such as their current grade and position title The database resides in SQL Server running on the PMRSprod Windows server Access is restricted to the PMRS Administrator
As with the feed files and FPPS Extractaccdb the warehouse segregates the employee data into two areas
bull Data with identifYing information but no RNO or disability information
bull The reverse Anonymized data with RNO and disability information
Tables with Identifiers
This is EMPLOYEE the parent table with one row for every employee past and present Sensitive fields are
bull NARA employee number
bull Employee name
Data Type
This is EMPLOYEE MONTH ID with one record for each employee each month It is child to EMPLOYEE with the link back being through [employee num] This contains no RNO data
---------------------------------------------------------------6
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
Field lame Data Type
DateTime
Number
Text middotmiddot-~~-~middotmiddotmiddot
Text
position_titl1e ix_t__~ Text middotmiddot- ---- middotmiddot~~middotmiddot middotmiddot-~Cmiddot
pay plan cd Text
rmm Number
seriescd Textcbullbullbull-~ sup1er1fiScgtry levelltlt
appointmenttypecd i3fpointing auth~ntvcd____ middotText ____
_J~mler_cd text middot---Jmiddot 1Pi3tcob cd middot-middot- middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot-middot Text
workschedulecd Text target grade num Number
middot~ __~ -~~middot
last promotion dt DateTime
employee qty -~ Number - performance plan qty
~-----------------------------------7
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
This is EMPLOYEE MONTH with one record for each employee each month However the data is anonymous
Data Type
pateIime~---~ Text
Number Text Text Text
cd Text
-4-~z~-J---~middot Text~-----L _j~~~~~----~-~--~-T~e2xt~-------~+ t-4-~r~a~c~e~c~o~m~b~o~cd~--J~-----middotJT_cext~
work schedule cd
grade num fed era service start dt
ret~re_rn_ent p_lan cd_ retipound_ernen_teJig~~ility~t
ployee qty ployee age
patcob cd --middot--middot-middot-middot- Text Text
c_ ----~---Number ~ DateTime_____
DateTim2e_____j
~--Text DateTim_~e___ Number_______ Number
~----------------------------------8
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 122013
214 The Dataheacon Web Site
PMRS publishes its data on NARANET using Databeacon Databeacon is an easy-to-learn tool for slicing and dicing numerical data using a web browser Our standard Employee cube lets users slice the data on 17 dimensions such as pay plan grade supervisory level org code gender race or any combination of these The system does not let users ask about individuals Indeed neither employee names nor numbers are on the web site However by slicing the data fine enough users can sometimes tell who the data is describing especially in small units where there may be only one female GS-9 Archives Technician Therefore when H asked for more dimensions- in particular a breakout by peoples ages- we knew that we had a privacy issue
Our solution was to give H the additional dimensions they want but to put that data at a hidden location on the PMRS web site The data is accessible by anyone on NARANET but only if they know the URL Databeacon has no security facilities of its own
The sensitive data here is peoples ages and the possibility that users could connect an age with a specific employee by qualifYing all the other dimensions enough as described above
hr_employee
The main cube hr_employee has two measures that can be broken out in 20 dimensions (right) The data covers monthly snapshots of active employees
All Pay Plans
All Occupational Series Both Perm amp Temp Both Full amp Part-time
All RaceEthnic Groups
All Supervisory Levels Both Students amp Non-students
All Retirement Plans
Retirement Eligibility All Target Grades
All Time in Grade All Years of Federal Service All Ages All Functions Measures (Measures)
J-m of Employees Lsect of Retirement-eligible Employees
----------------------------------------------------9
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
22 Why the Employee Information is Being Collected
221 Is each data element required for the business purpose of the system Explain
The list of data elements is driven by the needs of H to do workforce planning In particular
bull Retention analysis requires that PMRS keep data on individuals We need to see if the specific people who were here last year are still here
bull The analysis by age requires peoples birth dates Knowing peoples ages is a reasonable part of workforce planning and analysis
In addition CP has its own requirements for metrics
bull Our Annual Performance Plan says that we will measure how many of our employees are eligible to telework and of those how many do
bull A breakout of data by race gender and disabilities is required for our reporting to OMB
222 Is there another source for the data Explain how that source is or is uot used
FPPS is the only source of this data
23 Intended Use of this Information
231 Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected and how will this be maintained and filed
No PMRS offers no more data about individuals than is already in FPPS- except for the fact of whether they are eligible to telework or not middot
232 Will the new data be placed in the individuals record
No There is no new data
233 Can the system make determinations about employeesthe public that would not be possible without the new data
No There is no new data
234 How will the new data be verified for relevance and accuracy
There is no new data
235 Ifthe data is being consolidated what controls are in place to protect the data from unauthorized access or use
See the descriptions in section 21 above regarding the access restrictions on the various data stores
~ ---------------------------------------------------------10 ~
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
236 If processes are being consolidated are the proper controls remaining in place to protect the data and prevent unauthorized access Explain
See descriptions in section 21 above regarding the access restrictions on the various data stores In addition PMRS has extensive data quality checks to ensure the integrity of the data as it moves into the
middotwarehouse IfHTS adds a new code ifCP changes an org code even ifHTS assigns a new number to someone -these conditions are all caught by the import code
237 Generally how will the data be retrieved by the user
Essentially PMRS is a reporting tool offering summary data Except for the administrator the data is not retrievable by the user Instead PMRS delivers summary data through its web site
238 Is the data retrievable by a personal identifier such as a name SSN or other unique identifier If yes explain and list the identifiers that will be used to retrieve information on an individual
Except for the administrator writing ad hoc queries the data is not retrievable by a personal identifier
239 What kinds of reports can be produced on individuals What will be the use of these reports Who will have access to them
None
2310 Can the use of the system allow NARA to treat the public employees or other persons differently Ifyes explain
No PMRS will not allow NARA to treat individuals differently Hopefully it will help us be smarter about treating classes of individuals differently through the mechanism ofworkforce planning
2311 Will this system be used to identify locate and monitor individuals
Not at all
2312 What kinds of information are collected as a function of the monitoring of individuals
None
2313 What controls will be used to prevent unauthorized monitoring
NA
2314 If the system is web-based does it use persistent cookies or other tracking devices to identify web visitors
Yes As noted above the web application requires its users to log in It then tracks the changes they make On the publication side Databeacon creates cookies based on the IP address ofthe users machine It uses these to connect returning users with views of the data that they have saved It has no capability to track usage In any event the only web users are government employees and contractors doing government work
~ -----------------------------------------------------------11 ~
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
24 Sharing of Collected Information
241 Who will have access to the data in the system (eg contractors users managers system administrators developers other)
See the descriptions of the various data stores in section 21 on page 4 above
242 How is access to the data by a user determined and by whom Are criteria procedures controls and responsibilities regarding access documented Ifso where are they documented (eg concept of operations document etc)
The access rules are simple and herewith documented
bull The PMRS administrator (and presumably ITSS support staff) has access to everything in PMRS
bull Everyone on NARANET has access to the published data
bull H and the people they share the URL with have access to the web site that publishes summary employee data by age
bull Access to the web logs is open to anyone on NARANET whose supervisor sends an email making the request to the PMRS Administrator
243 Will users have access to all data on the system or will the users access be restricted Explain
See the descriptions in section 21 on page 4 above regarding restrictions applied to the various data stores
244 What controls are in place to prevent the misuse (eg unauthorized browsing) of data by those who have been granted access (please list processes and training materials)
The PMRS Administrator is the only person with access to sensitive details His training in privacy requirements consists of the standard NARA online course plus the preparation of this PIA
245 middotmiddotmiddotAre contractors involved with the design and development of the system and will they be involved with the maintenance of the system Ifyes were Privacy Act contract clauses inserted in their contracts and other regulatory measures addressed
Contractors are very much involved in the creation and operation of PMRS However PMRS is not a Privacy Act system of record so there is no requirement for contract clauses
246 Do other NARA systems provide receive or share data in the system Ifyes list the system and describe which data is shared If no continue to question 7
PMRS is all about sharing data The source of employee data is FPPS
247 Have the NARA systems described in item 6 received an approved Security Certification and Privacy Impact Assessment
FPPS is an approved Privacy Act system
~ ------------------------------------------------------12
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 122013
248 Who will be responsible for protecting the privacy rights of the public and employees affected by the interface
CP is responsible for controlling access to information in PMRS
H is responsible for limiting the contents of the extract sent to PMRS from FPPS
249 Will other agencies share data or have access to the data in this system (Federal State Local or Other) If so list the agency and the official responsible for proper use of the data and explain how the data will be used
No PMRS is an internal NARA system
25 Opportunities for Individuals to Decline Providing Information
251 What opportunities do individuals have to decline to provide information (ie where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses) and how can individuals grant consent
Individuals have no right to decline the uses doctunented here
252 Does the system ensure due process by allowing affected parties to respond to any negative determination prior to final action
NA PMRS is a reporting system It reports statistics after the fact It is not involved in any determinations certainly none regarding individuals
26 Security of Collected Information
261 How will data be verified for accuracy timeliness and completeness What steps or procedures are taken to ensure the data is current Name the document that outlines these procedures (eg data models etc)
The data is refreshed every pay period with new data from FPPS Thus the current data is always as authoritative as it can be
The program that imports the data from FPPS makes sure that all employees previously reported are accounted for in the new extract either as current employees or as separated employees It also spots people who have had their NARA employee number changed
262 If the system is operated in more than one site how will consistent use of the system and data be maintained in all sites
NA The system is used at only one site
263 What are the retention periods of data in this system
bull Data warehouse Ten years per the PMRS records schedule Nl-064-03-1
bull Employeeaccdb NA This database does not retain historical data It stores only a current snapshot of active employees from FPPS Separated employees are removed as part of the update fromFPPS
~ 13
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 122013
bull ems Extractaccdb This likewise contains only the contents of the latest update from FPPS
bull PMRS web site The data on this site is replaced each month with new data
bull Historical copies of the staging area Kept for 3 years per the PMRS records schedule Nl-064-03- L
264 What are the procedures for disposition of the data at the end of the retention period
bull Data warehouse Destruction is done automatically by a SQL Server scheduled job that runs every October
bull Historical copies of the staging area Destruction is done manually by the PMRS Administrator every October
265 Is the system using technologies in ways that the Agency has not previously
No
266 How does the use of this technology affect publicemployee privacy
NA No such teclmology is used
267 Does the system meet both NARAs IT security requirements as well as the procedures required by federal law and policy
YesPMRS has NARA CampA approval
268 Has a risk assessment been performed for this system
Yes
269 Describe any monitoring testing or evaluating done on this system to ensure continued security of information
bull The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
bull PMRS has extensive validation checks to ensure that data being imported is clean and complete
bull ITSS keeps backup copies for 90 days of all data in PMRS
2610 Identify a point of contact for any additional questions from users regarding the security of the system
Steve Beste CP 301-837-0918
-----------------------------------------------------------14
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 122013
3 Written Requests amp FOIAs in the Unit Logs This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
Everyone on NARANET
~ =Written mquest amp FOIA data
NARAs customer service standards say that if you write to us requesting information we will reply within ten working days Likewise if you send us a request and cite the Freedom of Information Act (FOIA) we will reply within 20 working days PMRS measures and publishes this performance
To do so PMRS coJJects data on every FOIA request and every written request However PMRS does not need to know anything about the requesters or the specifics of the requests Therefore the warehouse itself does not contain any such fields The warehouse is not discussed further
The units who reply to the requests obviously do need to know the requester and the specifics of their requests Almost every unit in NARA therefore has a correspondence Jog of some kind and also a FOIA logmiddot Sometimes the two logs are combined in one database sometimes not In FY2004 PMRS replaced many of these local logs with the PMRS web application This includes both a FOIA Jog and a written request log Units were free to switch to the web app logs or to continue on as they were This produced the two kinds of sources shown at the left in the diagram above Local databases and the PMRS web app
For those units that kept their own logs two reporting mechanisms emerged Some such as NGC simply email a copy of the entire log to the PMRS Administrator each month This is simple and 17 units take this approach Other units (I8) create an extract database and send only that This is a little more work for the unit each month but its appropriate where the source database is large The Bush and Clinton libraries for instance both have large complicated logs that cover FOIAs written requests and many other management functions They send extracts
These extracts contain no personaJly-identifiable data The extracts are not discussed further
The topics of interest are thus bull The copies of the unit logs that arrive at PMRS in fuJJ and bull The web application That is covered in section 4 on page 18 below
~ ------------------------------------------------------15~
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 122013
31 Written Request and FOIA Information Being Collected in the Unit Logs
Every month PMRS receives 14 databases containing written request details 2 containing FOIA details and one containing both for a total of 17 databases of interest here The sensitive fields are typically
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Of the 17 databases
bull 2 go to the PMRS Administrator in CP
bull 6 go to the PMRS point ofcontact in L the central office of the Legislative Archives Presidential Libraries and Museum Services office
bull 9 go to the PMRS point of contact in R the central office of the Research Services office
All of thesemiddot people save the databases to the PMRS staging area on the PMRSprod server Access to the staging area is limited to the PMRS Administrator and the PMRS points of contact in the Land R central offices As a practical matter none of these people actually looks at the data unless theres a problem The act of saving the file in the staging area launches the PMRS warehouse loader It extracts the fields relevant to timeliness and leaves the sensitive fields behind
On the first of every month the contents of the staging area are zipped and saved to a folder on the PMRSweb server accessible only by the PMRS Administrator The staging area is then emptied ready
middotfor the next month This is an automatic process
32 Why the Written Request and FOIA Information is Being Collected
The sensitive information arrives as a byproduct of collecting other data in these logs PMRS makes no use of it and does not import it into the PMRS warehouse
The alternative would be to have the units send in only extracts of their Jogs Some units do this already The question is whether it makes business sense to expand that design to all units The tradeoffs are these
bull The cost ofbuilding deploying teaching and maintaining 17 extract databases These are small units with limited technical ability CP would have to do the work
bull The additional complexity of the monthly submission step at each unit
bull The limited sensitivity of the data
bull The very limited additional exposure that the present system incurs
bull The value to the public in having NARA track the timeliness of our replies to these requests at reasonable cost
Given the tradeoffs CP concludes that the present design is appropriate
33 Intended Use of this Information
None
-------------------16
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
34 Sharing of Collected Information
The data is not shared It goes nowhere as describe in the introduction to this section 3 on page 15 above
35 Opportunities for Individuals to Decline Providing Information
None
36 Security of Collected Information
The files in question reside in sequence
bull As email attachments in Group Wise protected by the recipients password
bull In the PMRS staging area Access to that requires first a NARANET login and then an account on the PMRSprod server Very few people have this See section 3 I on page 16 above
bull In the PMRS staging area archive Access to this requires frrst a NARANET login and then an account on the PMRSweb server Only the PMRS Administrator has this
~ 17
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy lnqJact Assessment September 12 2013
4 Written Requests amp FOIAs in the PMRS Web Application This diagram is an extract of the one on page 2 It shows just the data about written requests and FOIAs Data flows from the source systems on the left to the website users on the right
Performance Measurement and Reporting System
Written Request amp FOIA Data in PMRS
cgt =Written request amp FOIA data
Please read the introduction to major section 3 on page 15 for an overview of written request and FOIA data in PMRS This section concerns the PMRS web application its FOIA Log and its Written Request Log
About the PMRS Web Application
CP deployed the web app in FY 2004 as a replacement for several dozen Access databases that were then being sent in every month The old databases were cumbersome inflexible and depended on people in the field to push the data to CP By contrast the web app allows central maintenance and CP can pull the data from the database at any time As the scope ofPMRS expanded the web app allowed CP to collect additional data at relatively low cost
The downside of the web app is that it puts CP in the business of owning a source system Normally source databases are the responsibility of their owners (CMRS SOFA FPPS and all the little Access databases that still come into PMRS) With the web app CP is obliged to support the field units requirements for day-to-day management data at least within certain subject areas Two of those subject areas are FOIAs and written requests
In practice many units chose to keep using their own databases in lieu of the web versions This is the current situation
bull FOIAs The big FOIA shops run their own databases The National Personnel Records Center in St Louis uses CMRS Our Washington-area operation uses ADRRES the PRA libraries and NGC use home-grown Access databases Only the small shops use the FOIA web log Of the 12186 FOIAs received in FY2007 only 3 (360) came into PMRS through the FOIA web log But these covered 20 NARA units That is 20 Access databases that we no longer have to chase each month
bull Written requests Units are very attached to their correspondence logs Only 5 units out of 41 chose to replace them with the one in the web app The web app recorded 2954 written requests in FY2007 3 of the total excluding National Personnel Records Center
~ 18
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 122013
The web application currently has 281 registered users Many of these are supervisors and backup users 154 users are active having logged into the system in the past three months
41 Written Request and FOIA Information Being Collected in the Web Application
The sensitive fields are typically [II Web - FOIA DATA ENTRt Tallie d ~ ~rt
bull The name of the person making the request (a member of the public)
bull The persons address and telephone number
bull A description of the records being sought
bull The date of the request and the dates of our actions in reply
Specifically in respect to FO As the web app collects the fields at right
In respect to written requests the web app collects the fields below
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
42 Why the Written Request and FOIA Information is Being Collected
The information is collected so that units can reply to requests from the public and manage the process of doing so
43 Intended Use of this Information
The information is used by the respective NARA units to process the requests PMRS extracts nonshysensitive fields in order to measure performance The web logs have no analytical or data mining or reporting ability
44 Sharing of Collected Information
Units can see only their own data not each others The web log enforces this based on individuallogins The web application does not share this data at all
45 Opportunities for Individuals to Decline Providing Information
None If individuals want NARA records they must tell us what they want and give us a way to contact them
46 Security of Coiiected Information
461 How will the data be verified for accuracy timeliness and completeness
a) The people entering the data check it
b) The units check the figures that get published through PMRS as these reflect on their performance
c) Central offices spot check the data in the logs during regular inspections referring to the hard copies of the requests and replies
462 How will consistent nse of the system and data be maintained in all sites
Uniform instructions have been created for all fields These are available through the online help as well as in companion User Guides
Extensive field and cross-field validations are built into the logs themselves These prevent mistakes such as dates from last year or completion dates earlier than receipt dates
Central offices spot check the data in the logs during regular inspections
463 What are the retention periods of data in this system
Three years This is set by the PMRS records schedule Nl-064-03-1
464 What is the procedure for disposition of the data at the end of the retention period
Per the schedule the data is destroyed This is accomplished by a SQL Server scheduled job that runs every October
~ -------------------20
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
465 Is the system using technologies in ways that the Agency has not previously employed
No
466 How does the use of this technology affect publicemployee privacy
NA No such technology is being used
467 Does the system meet IT security requirements
Yes PMRS has NARA CampA approval
468 Has a risk assessment been performed for this system
Yes
469 Describe any monitoring testing or evaluation done on this system to ensure continued security of information
The units regularly view their performance on the PMRS web site They complain ifthey find something amiss in the data
At the detail level the system stamps every changed record with the date time and the ID of the person making the change
4610 Identify a point of contact for any additional questions regarding the security of the system
Steve Beste CP 301-837-0918
5 Is this a System of Record Covered by the Privacy Act PMRS is not a Privacy Act system of record Nor is it required to be
6 Conclusions and Analysis
61 Did any pertinent issues arise during the drafting of this Assessment
No
62 If so what changes were made to the systemapplication to compensate
NA
7 Approvals The Following Officials Have Approved this PIA
-----------------------------------------------------------21
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
Privacy Impact Assessment September 12 2013
System Manager 091313
Susan Ashtianie Director Perfonnance and Accountability St ff 3 01-83 7-1490
Senior Agency Official for Privacy Gary M Stern General Counsel amp Senior Agency Official for Privacy 301-837-3026
Chief Information Officer Michael Wash Assistant Archivist for Infonnation Services amp Chief Infonnation Officer 301-837-1992
---------------------------------------------------------------22
top related